The vulnerability, known as Foreshadow, has two versions: the original designed to extract data from software guard extension (SGX) enclaves and a next-generation version which affects virtual machines, hypervisors, operating system kernel memory, and system management mode memory, according to a site devoted to the vulnerability.
The flaws have been given the advisories CVE-2018-3615 (for SGX), CVE-2018-3620 (for operating systems and SMM) and CVE-2018-3646 (for virtualisation).
In January, Intel announced two flaws named Meltdown and Spectre which used speculative execution to attack systems.
The other two flaws were found by Intel. The first team notified Intel on 3 January, and the second on 23 January.
SGX is a feature developed by Intel and present in Intel Core processors and Intel Xeon processors. It enables computers to protect users' data even if the system gets taken over by an attacker.
At the time when the Meltdown and Spectre attacks were disclosed, it was thought that SGX was immune to speculative execution attacks.
"Foreshadow demonstrates how speculative execution can be exploited for reading the contents of SGX-protected memory as well as extracting the machine’s private attestation key," the advisory said.
"Making things worse, due to SGX’s privacy features, an attestation report cannot be linked to the identity of its signer. Thus, it only takes a single compromised SGX machine to erode trust in the entire SGX ecosystem."
Dr Yarom, of the CSIRO's Data 61 unit and the University of Adelaide's school of Computer Science, who was part of the second team, said: "SGX can be used by developers to enable secure browsing to protect fingerprints used in biometric authentication, or to prevent content being downloaded from video streaming services.
“Foreshadow compromises the confidentiality of the ‘fortresses’, where this sensitive information is stored and once a single fortress is breached, the whole system becomes vulnerable.
“The SGX feature is widely used by developers and businesses globally, and this opens them up to a data breach that can potentially affect their customers as well. Intel will need to revoke the encryption keys used for authentication in millions of computers worldwide to mitigate the impact of Foreshadow.
"Intel’s discovery of the Foreshadow-NG variant is even more severe, but will require further research to gauge the full impact of the vulnerability.”
Videos: courtesy Intel and Foreshadow vulnerability researchers