8 More Spectre-Type Flaws Found in Intel Chips (Report)
If you thought Intel was putting the Spectre and Meltdown flaws behind it, well, nothing is ever that simple. According to a report from German computer magazine C'T, Intel is planning to address eight new vulnerabilities stemming from the same design issue in its CPUs that led to Spectre and Meltdown, and has reserved a series of Common Vulnerabilities and Exposures (CVE) numbers for them.
On May 3, Intel executive vice president and general manager of product assurance and security Leslie Culbertson issued a statement on potential new security issues:
"Protecting our customers’ data and ensuring the security of our products are critical priorities for us," Culbertson wrote. "We routinely work closely with customers, partners, other chipmakers and researchers to understand and mitigate any issues that are identified, and part of this process involves reserving blocks of CVE numbers.
"We believe strongly in the value of coordinated disclosure and will share additional details on any potential issues as we finalize mitigations. As a best practice, we continue to encourage everyone to keep their systems up-to-date."
While most of the issues are reportedly at the same risk level as Spectre, which can admittedly get pretty high, there's one interesting nugget: a flaw that would easily let a malicious hacker exploit code in a virtual machine and attack the host system, whether it be a single PC or, say, a major corporation's server, and get into more virtual machines that way.
"Although attacks on other VMs or the host system were already possible in principle with Spectre, the real-world implementation required so much prior knowledge that it was extremely difficult," said the English-language version of the C'T story. "However, the aforementioned Spectre-NG vulnerability can be exploited quite easily for attacks across system boundaries, elevating the threat potential to a new level."
C'T refers to the eight vulnerabilities as Spectre-NG (Next Generation), but that seems to be a name made up on the magazine's part. The magazine suggests each vulnerability could get its own name, and there will likely be eight different patches -- one for each issue.
The report states the first wave of patches could go live in May (Microsoft's next Patch Tuesday for Windows 10 is on Tuesday, May 8), while the rest are being prepped for August.
The report suggests some ARM chips may be vulnerable to the Spectre-NG flaws, and that AMD is researching if this affects its processors as well. Meltdown affected a few ARM and AMD chips.
But Spectre affects almost every CPU in the last two decades, and if these new reports are correct, we won't be shaking similar vulnerabilities anytime soon until there's a wholesale redesign of the processors.
"It seems that for each fixed issue, two others crop up," the C'T article said. "During the past twenty years, safety considerations have only played second fiddle to performance in processor development."
Image credit: BeeBright/Shutterstock
Windows 10 Security and Networking