There may be eight new Spectre-class CPU vulnerabilities affecting Intel and ARM chips
We may not have seen the end of this year’s Spectre-class vulnerabilities. German computer magazine Heise.de has published a report stating that they’ve gotten word of new Spectre-class flaws that are currently being investigated by the security community. These new exploits will reportedly be announced in the coming days.
Heise.de discovered the vulnerabilities through the Common Vulnerability Enumerator (CVE) directory, which is the industry’s central list of vulnerabilities.
In the meantime, Intel has already put out a statement seemingly in response to the report, titled “Addressing Questions Regarding Additional Security Issues”:
Protecting our customers’ data and ensuring the security of our products are critical priorities for us. We routinely work closely with customers, partners, other chipmakers and researchers to understand and mitigate any issues that are identified, and part of this process involves reserving blocks of CVE numbers. We believe strongly in the value of coordinated disclosure and will share additional details on any potential issues as we finalize mitigations. As a best practice, we continue to encourage everyone to keep their systems up-to-date.
The Heise report has dubbed the new vulnerabilities as Spectre-NG, short for Next Generation. Similar to the first round of Spectre vulnerabilities, Spectre-NG relies on a side-channel attack on a processors’ speculative execution engine.
No technical details have been released at this time, in accordance with accepted and responsible reporting practices. However, researchers have long speculated that it would be possible to utilize the same principles that underpinned the original flaws to build more sophisticated attacks that would in turn be able to circumvent the existing patches.
Several processor vendors have just finished pushing out the final round of Meltdown and Spectre patches, and it remains to be seen whether Spectre-NG will render them obsolete.
Furthermore, because the existing patches have been shown to have a negative impact on certain aspects of system performance, it’s possible that any patches developed in response to Spectre-NG will result in additional performance hits.
According to Heise.de, Intel has already developed patches, which will be delivered in two waves. The first will roll out in May, and the second is planned for August. Microsoft is also reportedly preparing its own fixes.
The website also claims that one of the new vulnerabilities is more dangerous than the original Spectre. It would theoretically allow an attacker to launch exploit code within a virtual machine, and then attack the host or other VMs.
This poses a similar risk to cloud server hosts as the original Meltdown, and Intel will want to act fast to reassure its customers.
Most of the Heise.de report focuses on Intel, but the article also says that ARM is probably affected as well. AMD is likely not spared either, but that has yet to be confirmed.