Intel has delayed the first security updates for the recently revealed Spectre NG vulnerabilities. The updates were scheduled to be released today, but Intel appears to needs more time to prepare the patches for the eight new vulnerabilities in its processors. The vulnerabilities can be found in pretty much all Intel CPUs from 2010 and later.
Last week, the German computer magazine C’t reported that security researchers found new vulnerabilities in Intel processors. Amongst others, the vulnerabilities would make it possible to escape from a Virtual Machine (VM) to attack the host computer (physical machine). Something especially alarming for cloud providers where often multiple VMs run on a single host. The security researchers named the vulnerabilities Spectre Next Generation (NG) after the Spectre vulnerability that was disclosed together with the Meltdown vulnerability. Both leaks were also found in Intel processors.
Intel planned to release the first updates for Spectre NG today, the 7th of May, with a second wave of updates scheduled for August. There is some time pressure for the chip giant, one of the vulnerabilities was discovered by a security researcher working for Google Project Zero. When an issue is found by Google Project Zero members, companies have a 90-day deadline to fix the leaks. The deadline of one of the Spectre NG vulnerabilities expires today.
The German website Heise reports that Intel needs more time to fix the issue. The company plans to release a coordinated release of micro-updates on the 21st of May after which also details about two Spectre NG vulnerabilities will be disclosed. Heise states it’s very well possible that Intel will also postpone those updates, because the website has learned that Intel has asked extension of the deadline till the 10th of July.
The most critical Spectre NG vulnerability, which makes it possible to escape from a VM, is planned to be patched on the 14th of August.
Patching all vulnerable processors is a huge operating. Nearly all processors since Nehalem (2010) are reportedly vulnerable, both Core and Xeon variants.