The ghost of CPU security flaws reappears in the form of Spectre-NG


Just as Intel has started to get a handle on managing the Spectre and Meltdown speculative execution security flaws in its contemporary processors, there's a warning about a second wave of related vulnerabilities. German computer magazine c't (a part of Heise) reports that multiple groups of security researchers have clued Intel in on eight unique speculative execution vulnerabilities in its chips. The magazine calls the set Spectre-NG and goes on to say that some or all of these flaws may also be present in ARM processors. The applicability of the flaws to AMD CPUs was said to be less clear. c't did not publish any specific technical details about the problems beyond mentioning that they were all similar to Spectre.

The magazine says each of the eight flaws has a unique Common Vulnerability Enumerator (CVE) number and that each will require its own specific patch. Intel is said to be actively working on two waves of patches for the security flaws. The first round of patches is expected later this month and the second is scheduled for an August release. One particular flaw was discovered by Google's Project Zero researchers and will be revealed Monday, the expiration of the 90-day grace period the team gave to Intel.

c't says that Intel has classified four of the eight vulnerabilities as "high-risk," while the other four received "medium" ratings. The magazine says that one of the attacks in particular stands out because it could be run in a virtual machine and attack the host system from there. Such a scenario presents immense and immediate risk to cloud host providers and their customers. The author says that such an attack was possible with Spectre, but that the new vulnerability reduces the knowledge of the target system that the attacker needs for success.

The magazine believes that these won't be the last security-related issues to pop up in modern CPU design. Werner Haas, one of the co-discoverers of Spectre, warns that future processors must be designed with security as a priority from the earliest steps in the design process.

Tip: You can use the A/Z keys to walk threads.
View options