Get ready for a new generation of Spectre vulnerabilities to appear in x86 chips.
On May 3, German magazine c't published a report that claims researchers have found eight new security flaws in Intel processors that are being tentatively called "Spectre Next Generation" or "Spectre NG."
Several teams of security researchers have reported the new Spectre-like vulnerabilities to Intel, although the technical details of these flaws are being withheld right now, according to the report. The story also claims that Intel is working on patches to address these new sets of hardware issues.
Once again, it appears that Google Project Zero, the search company's security division, has been aware of at least one of these flaws. The Google team alerted Intel to the Spectre and Meltdown side-channel vulnerabilities in 2017, before additional details were released by university researchers in January. (See Meltdown & Spectre News Gets Worse – & Better.)
In addition to Intel, c't reports that these flaws could also affect AMD and ARM processors as well.
While the technical details are being withheld to give the companies involved time to respond and issue patches and fixes, the magazine reported that the Spectre NG flaws work in the same manner as the original Spectre and Meltdown vulnerabilities.
The new set of flaws were discovered through the Common Vulnerability Enumerator (CVE), which is an industry repository of known cybersecurity vulnerabilities that contains identification numbers, descriptions and public references. Intel appears to have labeled at least four of the next-generation flaws as "high-risk." The other four are deemed moderate.
It is also likely, according to the report, that each of the eight vulnerabilities will require their own patch.
For its part, Intel is remaining quiet about the report, although a note published on the company's website on Thursday seems to hint that the chip maker is aware of new vulnerabilities and is working to fix the issues.
"We routinely work closely with customers, partners, other chipmakers and researchers to understand and mitigate any issues that are identified, and part of this process involves reserving blocks of CVE numbers," according to Intel's post. "We believe strongly in the value of coordinated disclosure and will share additional details on any potential issues as we finalize mitigations. As a best practice, we continue to encourage everyone to keep their systems up-to-date."
When the original Spectre and Meltdown flaws were disclosed at the beginning of this year, researchers reported that by manipulating pre-executed commands within x86 chips, which help make data available faster, hackers can gain access to the content of the kernel memory. The security issue is that this flaw can allow a hacker to gain access to encryption keys and other authentication details of whatever system the CPU is running in.
Since that time, Intel has been issuing patches and promising to do a better job of alerting the community to security flaws, although the company recently admitted that some chips will never get Spectre and Meltdown fixes. (See Intel Will Leave Some Chips Without Spectre Patch.)
What makes the original Spectre and Meltdown particularly tricky to fix is the fact there are variations to each flaw. Specifically, Spectre has two different issues called Variant 1 and Variant 2. In the case of Variant 2, the flaw is the harder one to exploit by attackers but also the more difficult to fix. (See 5 New Network Attack Techniques That Will Keep You Awake at Night.)
Related posts:
- In Wake of Spectre & Meltdown, Intel Shifts Memory Scanning to GPU
- Microsoft's Brad Smith: 2017 Was a Cybersecurity Wake-Up Call
- Intel, OEMs Push Out More Spectre Microcode Patches
- Intel's SGX Vulnerable to Spectre-Like Flaw
— Scott Ferguson is the managing editor of Light Reading and the editor of Security Now. Follow him on Twitter @sferguson_LR.