The online German computer magazine Heise.de is reporting that eight new Spectre-class vulnerabilities have been discovered. The vulnerabilities purportedly affect Intel and ARM processors, but the impact on AMD processors remain unknown. We reached out to Intel for comment, and the company provided this statement, which neither confirms nor denies the vulnerabilities:
Protecting our customers’ data and ensuring the security of our products are critical priorities for us. We routinely work closely with customers, partners, other chipmakers and researchers to understand and mitigate any issues that are identified, and part of this process involves reserving blocks of CVE numbers. We believe strongly in the value of coordinated disclosure and will share additional details on any potential issues as we finalize mitigations. As a best practice, we continue to encourage everyone to keep their systems up-to-date.
Much like the first round of Spectre vulnerabilities, these newly discovered vulnerabilities rely upon a side-channel attack on a processors' speculative execution engine. As per normal and responsible reporting policies, the teams of researchers that discovered the attacks are not releasing details until processor vendors are given a reasonable amount of time to develop patches, which should help ward off exploits, at least for now.
The new discoveries, which Heise.de terms "Spectre-NG" (Next Generation), come after several processor vendors delivered the final round of Spectre and Meltdown patches to the public. As we've seen in our own testing, the existing patches can have an impact on performance in a wide range of applications, and further protections may bring about more pain-inducing mitigations.
Heise.de discovered the vulnerabilities through the Common Vulnerability Enumerator (CVE) directory, which is the industry's central list of vulnerabilities. Details of the technical aspects are still slight, but as many have opined in the early days of the Spectre and Meltdown revelations, building more sophisticated attacks based on the same basic principles could allow attackers to circumvent the existing patches. That appears to have come to fruition, as these attacks are merely another iteration of the same tactic. Heise.de expects more information to surface in the coming days.
Heise.de claims that Intel has already developed patches, which will roll out in two waves: One arrives in May, and the second is planned for August. Microsoft is also purportedly readying its own patches. According to the site, four of the vulnerabilities fall into the "high risk" category, while the other four are rated as "medium."
The website also claims that one of the vulnerabilities is much more dangerous than the original Spectre. In theory, attackers could launch exploit code from within a virtual machine, which could then attack the host or other VMs. Unfortunately, these attacks could even sidestep Intel's Software Guard Extensions (SGX), which are designed to protect the most sensitive passwords and encryption keys.
Unlike the fog of uncertainty that clouded CTS Labs' disclosures of AMD vulnerabilities, the Spectre-NG issues appear to be real. Intel has already promised that in-silicon fixes for the original Spectre/Meltdown issues will be released this year. These hardware-based mitigations should reduce, or even eliminate, the performance impact of the current patches.
In light of Intel's recent disclosure that it's delaying its next-generation 10nm chips, we aren't sure if those fixes will come this year. If the Spectre-NG is real, there is a possibility that Intel had enough forewarning to include hardware-based fixes for those vulnerabilities, as well.
We'll update as more information comes to light.
