Eight new Spectre Variant Vulnerabilities for Intel Discovered - four of them critical
News has just started spreading that researchers have sighted another eight Spectre like vulnerabilities in Intel processors, all resemble Spectre, four of them are critical. The new vulnerabilities are grouped and named as Spectre-ng. The newly discovered vulnerabilities would make it really easy to exploit a host from a simple VM.
German c't / Heise reports and breaks the news today, as the new vulnerabilities have not been made public just yet. There would be 'no doubt' that these are real vulnerabilities. While technical details are missing, the attack scenarios resemble close to what the Spectre vulnerabilities are.
Currently, most at risk are shared hosting providers, once you have access to your rented server-container, you could exploit the processor to retrieve secure data. All eight vulnerabilities share the same design problem that the "Meltdown and Spectre" vulnerabilities detailed as well - they are, so to speak, Spectre Next Generation ergo Spectre NG. c't mentions they have concrete information about Intel's processors and their patch plans. However, there are some indications that other processors are affected as well, at least some ARM CPUs are also vulnerable to some extent. Further research into whether and to what extent the AMD processor architecture is vulnerable at (if at all), is not yet known.
Intel is reportedly actively and nervously working on Spectre NG patches behind the scenes; other patches are developed in collaboration with the operating system manufacturers (Microsoft / Linux etc). When exactly the first Spectre NG patches and firmware updates will become available is not yet clear. According to information, Intel is planning at least two patch waves: a first one should start in May; a second is currently scheduled for August. For at least one of the Specter NG patches is already a specific date as it was Google's Project Zero that has found one of the vulnerabilities, on May 7 - the day before the Windows Patchday - the 90-day warning period expires. So it's likely that when the first patch would be released for Microsoft Windows. Microsoft is preparing CPU patches: they appear to be in the form of optional Windows updates, and not so much microcode updated (firmware). The PC motherboard and server manufacturers probably need too long for BIOS updates.
Intel classifies four of the Specter NG vulnerabilities as "high-risk"; which in Intel language is translated as: super dangerous. The danger of the other four is rated as medium. According to c't/Heise, Specter-NG risks and attack scenarios are similar to those of Specter - with one exception. C't calls the Intel vulnerabilities and their procs a Swiss Cheese due to the many security holes.
Senior Member
Posts: 452
Joined: 2018-05-03
My god,hopefully will not hurt performance... if so that's a big blow indeed.
Senior Member
Posts: 899
Joined: 2013-11-23
Somewhere, an Intel engineer is pulling his hair off in frustration.
Senior Member
Posts: 1713
Joined: 2012-10-07
My guess is that Intel are just gonna have to neuter the branch prediction capabilities of their CPUs even more to fix this, so this is kinda worrying from a performance perspective! I've seen a 10-15% drop in CPU load required in Battlefield 1 since updating to the latest 1803 version of Windows 10, which also coincides with my Spectre protection disappearing (as Microsoft haven't released KB microcode patches yet for 1803) - so this either proves that 1803 version of Windows is a lot more CPU efficient when it comes to gaming or that Spectre protection microcodes can have a 10-15% performance cost to CPU load, in Battlefield 1 at least. The thought of an even more performance impactful microcode being released to kerb these new Spectre threats is less than ideal!
Senior Member
Posts: 324
Joined: 2015-06-25
I feel sorry for those guys. This seems to fall under the old adage "Make something idiot-proof and the world just invents a better idiot", except replace idiot's with very clever hackers.
Senior Member
Posts: 14282
Joined: 2014-07-21
Patches scheduled for May and August... I believe it when I see it.
Last time Intel gave patch dates after the big exploit they took three months longer than expected, and then you didn't get them for all the CPUs they originally claimed they'd patch. Way to go m$, quite a track record in 2017/18 so far.