Spectre Watch: More Spectre-class CPU Vulnerabilities to be Announced Soon?by Ryan Smith on May 3, 2018 1:45 PM EST
This morning has seen an interesting turn of events in the world of processor security. c't magazine has published an exclusive report stating that they got wind of a new series of Spectre-class vulnerabilities that are currently being investigated by the greater security community, and that these vulnerabilities are going to be announced in the coming days. Meanwhile, seemingly in response to the c't article, Intel has just published their own statement on the matter, which they’re calling “Addressing Questions Regarding Additional Security Issues.”
Diving right into Intel’s announcement:
Protecting our customers’ data and ensuring the security of our products are critical priorities for us. We routinely work closely with customers, partners, other chipmakers and researchers to understand and mitigate any issues that are identified, and part of this process involves reserving blocks of CVE numbers. We believe strongly in the value of coordinated disclosure and will share additional details on any potential issues as we finalize mitigations. As a best practice, we continue to encourage everyone to keep their systems up-to-date.
For more information on how we approach product security at Intel, please see my recent blog, “Bringing the Security-First Pledge to Life with New Intel Product Assurance and Security Group.”
— Leslie Culbertson
As things are currently unfolding, this is a very similar trajectory to the original announcement of the Meltdown and Spectre vulnerabilities, in which information about those vulnerabilities was leaked and pieced together ahead of the official coordinated announcement. Philosophies on disclosure policies notwithstanding, what we eventually saw was an accelerated release of information on those vulnerabilities, and a good bit of chaos as vendors suddenly had publish materials they were still preparing for a few days later. Intel’s early response here seems to be an effort to avoid chaos that by getting on top of things early, acknowledging the public's concerns and responding by outlining their coordinated release plans so that they can move ahead with things as-planned.
Which is to say that while Intel’s announcement confirms that something is up, it doesn’t offer any concrete details about what’s going on. For that – and assuming things don’t fall apart like the Meltdown/Spectre coordination – we’re presumably going to be waiting until next week on proper details.
As for the c't report, sources point to 8 individual CVE-assigned Spectre-class attacks, which for the moment they’re calling Spectre-NG. According to the site, Intel is working on two waves of patches, with the first wave currently set to be released in May, and c't is further speculating that information on the first wave will be released just ahead of May’s Patch Tuesday. Meanwhile information on a second flaw could be released “any day now.” And while the bulk of the report focuses on Intel – as this would seem to be the information c't had at hand – the site notes that ARM looks to be impacted as well, and AMD is likely but to-be-determined.
Of particular interest, the one exploit which c't is providing any details about is another VM-host attack, making it similar in risk to cloud server hosts as the original Meltdown. As these customers are Intel's bread & butter from a profitability standpoint, Intel will want to move very quickly to fix the issue before it can be exploited on customers’ servers, and to soothe their customers' concerns in the process.
Overall, while the nature of the report means we can’t confirm anything about their claims, on the whole it appears sound, and these claims are consistent with prior concerns raised by security researchers. Researchers have warned as far back as the original Spectre whitepaper that Spectre is a whole class of attacks – that it would be the ghost that wouldn't go away – as new ways are found to exploit the same fundamental weakness. Similar to other pivotal vulnerability discoveries, the nature of these side-channel attacks means that they are very powerful and still new enough that they’re not very well understood. So there has been and continues to be an ongoing concern that researchers and criminals alike will continue to find ways to use side-channel attacks against speculative execution, as seems to be the case now.
Ultimately, all of this is going to put increasing pressure on all CPU vendors to definitively answer a critical question: is speculative execution fundamentally unsafe, or can it be retained while it’s made safe? As one of the cornerstones of modern high-performance processors, the answer to that could shape the face of CPUs for years to come…
Post Your CommentPlease log in or sign up to comment.
View All Comments
Reflex - Thursday, May 3, 2018 - linkWe don't live in a world without viruses and malware, and governments are major perpetrators of them. It isn't going away. So back in the real world, yes it is helpful to find and disclose vulnerabilities and potential vulnerabilities. Nothing else to really discuss there.
ಬುಲ್ವಿಂಕಲ್ ಜೆ ಮೂಸ್ - Thursday, May 3, 2018 - linkSo.....
Are you saying we "SHOULD" discuss the malware, backdoors, extortionware and other vulnerabilities that are built into Windows 10?
I'm so confused by your statement.....
Shall I discuss them or not?
I do agree, It would be very helpful to disclose them!
Reflex - Thursday, May 3, 2018 - linkIf you have evidence of intentional malware, backdoors, extortionware and other vulnerabilities in Windows 10, of course you should discuss them. If they are unintentional, I would suggest following the industry standard disclosure timelines (you may even get a bounty).
ಬುಲ್ವಿಂಕಲ್ ಜೆ ಮೂಸ್ - Thursday, May 3, 2018 - linkSo no bounty unless they are unintentional?
Reflex - Thursday, May 3, 2018 - linkSo you have nothing, eh?
Death666Angel - Thursday, May 3, 2018 - linkAnandtech needs to add the ability to block people to it's commenting system.
HStewart - Thursday, May 3, 2018 - linkI would agree on personal attacks on people because they have disagreement in opinion.
eva02langley - Friday, May 4, 2018 - linkIt was aimed partly at you pal >XD
HStewart - Friday, May 4, 2018 - linkI would agree I am being attack here - just because I have a difference of opinion. But that does not give anybody a right to attack me. Let just agree to disagree on this subject.
Reflex - Thursday, May 3, 2018 - linkYour comment is nonsensical. The article reports what is *known*. They acknowledge that it may also affect others, but they do not have hard evidence of that yet. My guess is that it will, but in reporting you can't state that definitively.
Also, why would you not give rewards to those who find issues? I spent a lot of time as a software QA, the entire job is getting paid to find (and avoid) coding defects. No developer intentionally makes mistakes, but mistakes are made every day because code is complex (as are physical architectures). Creating bounty programs is the responsible thing to do for any company releasing complex products where it is virtually impossible to ever 100% certify everything works as intended.