Eight more Spectre vulnerabilities have been found in Intel chips
Four are considered ‘high risk’, and Intel is already working on a fix for the vulnerabilities.
The headlines around Spectre and Meltdown have died down since their initial reporting a few months ago, but it looks like that is about to flare up again. Eight new Spectre-type vulnerabilities have been found, one by Google’s Project Zero who discovered the first set of CPU flaws.
German tech site Heise reports that these Spectre Next Generation, or Spectre NG, vulnerabilities have been passed on to Intel, who rated four of the issues as high severity and four as medium severity. The site also reports that they have been assigned CVE identifiers, but no technical data has been forthcoming so far in the hope that Intel can patch the issues before disclosure. Time appears to be running out on that for at least one of the vulns, as May 7th is the end of the usual 90-day disclosure window for the flaw found by Google’s Project Zero team.
The brief details that have been reported show that it’s similar vulnerabilities to the original flaws, and are of particular concern to cloud providers as one enables code running on one Virtual Machine to attack another Virtual Machine or even the host server. Heise also mentions that while the original Spectre/Meltdown flaws were difficult to exploit, these new flaws are easier for attackers.
Heise also mentions that some ARM processors are vulnerable, and at this time it’s not known if AMD is affected.
Intel has issued a vague statement that they’re working on mitigations without specifying what those mitigations are. Leslie Culbertson, Intel executive vice president writes,
“Protecting our customers’ data and ensuring the security of our products are critical priorities for us. We routinely work closely with customers, partners, other chipmakers and researchers to understand and mitigate any issues that are identified, and part of this process involves reserving blocks of CVE numbers”
Not good news for anyone then, coming hot on the heels of issues with the mitigations for the original Spectre/Meltdown flaws and performance losses due to them. Intel will have to work quickly to patch these issues, but maybe it’s time for a fundamentally new chip design. Perhaps that’s part of the reason behind hiring Jim Keller away from Tesla.