Security researchers have found 8 new vulnerabilities in Intel processors. The vulnerabilities are potentially worse than the well-known Meltdown and Spectre vulnerabilities that were discovered about 5 months ago. Of the vulnerabilities 4 are marked as ‘critical’ and the other 4 as ‘medium’. They go by the name Spectre Next Generation (NG) for now.
The information has been disclosed on the website of German computer magazine C’t. The magazine states the information about the vulnerabilities has been exclusively provided to them and that it has verified the information in several ways.
The new vulnerabilities are all based on a similar design problem that affects Intel processors. C’t reports it has strong indications that also some ARM processors are vulnerable. Whether AMD processors are vulnerable too, is still under investigation. C’t and Intel won’t disclose further details on the vulnerabilities as long as there is the chance that they can be patched before they become public. Intel has stated it will release a first patch in May and a second patch in August this year.
Time is ticking however, one of the vulnerabilities has been discovered by a security researcher from Google Project Zero. Google Project Zero members are very strict in disclosing vulnerabilities. They provide a 90-day deadline after which details about vulnerabilities are publicly disclosed. On the 7th of May this deadline expires, which means Intel will likely release patches for the new vulnerabilities around that date.
C’t reports that also Microsoft appears to be preparing an update for the Spectre NG vulnerabilities. The software giant would initially rely on microcode updates, but now appears to be also preparing updates for Windows too as the microcode updates will take too long. Also Linux developers are working on hardening the kernel against the Spectre NG vulnerabilities.
Both Meltdown and Spectre abuse critical vulnerabilities in modern CPUs and both make it possible for attackers to steal data from the system’s memory. Normally, software is not allowed to read data from other software, but malware that abuses the Meltdown and Spectre vulnerabilities is able to read data in memory from other software. That means it can potentially access passwords stored in a password manager or browser, photos, emails, instant messages and all kinds of other data.
It’s expected that the Spectre NG vulnerabilities are especially threatening for cloud services such as Amazon and Cloudflare. That is because the new vulnerabilities make it easier for attackers to run malware in a Virtual Machine and attack the host machine from there. This was already possible with the regular Spectre vulnerabilities, but it required a lot of technical knowledge. By exploiting the Spectre NG vulnerabilities it’s easier for attackers to bypass the VM and attack the host machine or other VMs running on that machine.
“The concrete danger for private individuals and corporate PCs is rather small, because there are usually other weak points which are easier to exploit,” according to C’t. But it does recommend installing any patches as soon as possible to make sure the system remains safe.
Update: An Intel spokesman told us, “Protecting our customers’ data and ensuring the security of our products are critical priorities for us. We routinely work closely with customers, partners, other chipmakers and researchers to understand and mitigate any issues that are identified, and part of this process involves reserving blocks of CVE numbers. We believe strongly in the value of coordinated disclosure and will share additional details on any potential issues as we finalize mitigations. As a best practice, we continue to encourage everyone to keep their systems up-to-date.”