Intel’s woes with Spectre continue to unfold, some five months after the CPU flaw was made public. Several groups of researchers have now discovered no less than eight new Spectre variant vulnerabilities, including four that have been classified as critical flaws.
The new flaws have collectively been dubbed Spectre NG, and each of the eight security holes in Intel CPUs will require their own patches in order to fix. They can be exploited from a host machine through running a Virtual Machine (VM). Fundamentally they’re the same security vulnerabilities as previous Spectre flaws, just variants on a theme.
The four high-risk Spectre NG vulnerabilities are classified as the most dangerous and could pose a serious threat to servers and hosting providers. Basically, anywhere that houses multiple services within a single server container. Those looking to exploit could exploit the Intel CPU to access outside of their container and potentially retrieve secure data from the host machine.
One of the Spectre NG vulnerabilities is allegedly more dangerous than any Spectre flaw before. German tech site Heise says “Specter NG gaps simplifies cross-system attacks so much that we are much more aware of the threat potential than Specter.” Passwords and access keys are cited as the items most at threat, particularly within machines running cloud services.
For the average end user, the threat is thankfully fairly low. It’s not the easiest task to gain access to a machine locally and there are far easier ways for hackers to go about extracting data from standard PC users. It will mean further patches are going to be necessary, although the first round of Meltdown and Spectre fixes didn’t prove to be quite the performance hit that had been scaremongered at the time.
Heise reports that Intel is planning two waves of patches; the first is planned for May, while the second is scheduled for August. Intel is also working with operating system providers in order to work on their own fixes and preventative measures.
It doesn’t look as if AMD is getting away with this scot-free either. Heise reckons that at least AMD processors using the ARM architecture could be vulnerable, although further research on this is going to be required.
Spectre continues to be the rash that just doesn’t fade away for Intel, and it looks as if this is probably won’t be the last we hear of this long-running issue.
Thanks to ENTLVL820m for bringing this to my attention!