Colin Percival detailed the vulnerability -- which affects versions of Intel's CPU that use a technology called hyper-threading -- at a conference on May 13.
The vulnerability could allow hackers to steal sensitive information such as passwords on servers configured to allow multiple users to login simultaneously.
The FreeBSD security team member has received formal responses to the issue from the makers of the BSD family of open-source operating systems, as well as SCO and Ubuntu Linux. However, Linux vendors Red Hat, Novell and Mandriva as well as Microsoft have been slow to act.
"Given that I reported this problem in early March, I really think that they [Microsoft and Linux vendors] should have had a patch over a month ago -- in time to test it extensively before releasing it on May 13th," Percival told ZDNet Australia .
"I made it quite clear to everyone that I would be releasing my paper on that date and that they should make sure they were ready by then," he added.
A spokesperson from Red Hat said its security team rated the issue as having "a moderate security impact", and that it was working with the creators of the OpenSSL toolkit -- which is used to exploit the vulnerability -- on a fix.
A Microsoft spokesperson said while the company was investigating Percival's report, it was "not aware of any active attacks using this method at this time", and would wait until completion of its investigation to take action.
"We are aware of the issue and have been working on it," a Novell spokesperson said.
Percival also took issue with Intel's reaction. The company had described the risk as "very low".
"Intel is being too simplistic," he said. "This flaw allows users on a machine to steal each others' data."
Although the problem only affects multi-user servers, these machines are widely used. "The most obvious example is shared Web servers, which constitutes the vast majority of small e-commerce sites," he said. "On these systems the flaw is very serious."
Last December, Percival alerted the BSD family to the problem and a workaround has since been posted.
Read the paper for yourself.
http://www.daemonology.net/papers/htt.pdf
Yes it is a problem if you can find a timer accurate enough to time the execution time of instructions ( the resources provided by the chip are not) and if you can control the task load. To control the latter you have to have root access. With root access there are far quicker ways to gain access to p****words.
The guy is a ****, shared caches are a good idea as they make more efficient use of a limited resource. To expect the industry to give that up because the alignment of the moon and the stares allow one to work out what is happening in one thread from the other is a nonsense.