Following January’s reports of Meltdown and Spectre affecting Intel processors, security researchers found eight new vulnerabilities in Intel processors. As Google Project Zero’s 90-day deadline ends on May 7 for companies’ disclosure of technical details and solutions, the flaws — named Spectre Next Generation or Spectre NG — were characterized as similar to the previous Spectre attack scenarios. Four of the flaws were rated as “high” risk and the rest are of “medium” severity.
Each vulnerability will have their own number in the Common Vulnerability Enumerator (CVE) directory. Intel patches will come in two waves, with one in May and the next in August. Linux developers are working on measures against Spectre as well, while Microsoft is preparing patches for the said vulnerabilities, which they will distribute as optional updates. Further, Microsoft is also offering $250,000 in a bug bounty program for more unknown Spectre-related flaws. Advanced RISC Machine (ARM) CPUs from Japan’s Softbank’s ARM Holdings are speculated to also be affected by these new vulnerabilities, while Advanced Micro Devices’ (AMD) architecture is still being examined.
Spectre NG is similar to the previously patched flaws, allowing third parties to extract sensitive information such as passwords stored in memory. However, one of the new variants reportedly simplifies attacks across the system’s restrictions by running an exploit code in a virtual machine (VM) and attack the host system from there, or attack VMs of other clients running on the same server.
While users previously felt discouraged to update their systems with distributed patches addressing these vulnerabilities because it could slow down their systems’ performance, Intel released a statement to address the issue and encourage all users to keep systems updated. Just like the January attacks of Spectre and Meltdown, the following recommendations still serve as best practices:
- Update the firmware from reliable vendors and regularly check for available security updates
- Familiarize yourself with the necessary configuration changes to enable device protection
- Verify that the installed security solution supports the current version
Update: May 07, 2018
New information suggested that Intel requested to postpone the publishing of the vulnerabilities' technical details, and it seems that Google Project Zero agreed to the delay. Due to the number of affected systems, the company is seen having problems getting the patches out in time for May 7 and intends to do the coordinated release of the microcodes on May 21 or July 10 with the details of at least two variants. Likely affected systems include Core processors, Xeon spinoffs, Atom-based Pentium, Atom and Celeron CPUs released since 2013, which affects desktops, laptops, smartphones and other embedded devices. The August 14 patch will likely address the most serious vulnerability affecting cloud environments, and Intel is reportedly releasing hardware and software improvements for other manufacturers and vendors to implement.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.