The massive Spectre/Meltdown revelations the opened 2018 shook the computing world. While the vulnerabilities are now firmly out of the main news cycle, that is about to change. Security researchers have uncovered eight new Spectre-style vulnerabilities affecting Intel CPUs—propelling Spectre back into the security limelight.
Let’s take a look at the new Spectre vulnerabilities, how they differ from the existing issues, and what, if anything, you can do.
Spectre Next Generation
German publication Heise reports that security researchers have found eight new vulnerabilities in Intel CPUs. The new vulnerabilities, dubbed “Spectre Next Generation” (or Spectre-NG) confirm fundamental flaws in all modern processors. Heise claims that Intel has classified four of the new vulnerabilities as “high risk,” while the other four are classified “medium.”
Seems that 2018 is shaping up to be the year of CPU vulnerabilities. Say bye bye to increasing CPU speeds.https://t.co/4OujvxPtCf
— Martin Thompson (@mjpt777) May 3, 2018
At the current time, it is thought the Spectre-NG vulnerabilities have a similar risk and chance of attack to the original Spectre. There is, however, one exception to that.
One of the new Spectre-NG exploits simplifies an attack vector “to such an extent that we estimate the threat potential to be significantly higher than with Spectre.” An attacker can launch exploit code within a virtual machine and directly attack the host machine from within the VM. The example given is a cloud hosting server. The virtual machine could be used to attack other customers VMs in the search for passwords and other sensitive credentials.
Who Discovered Spectre-NG?
Just like Spectre/Meltdown, Google’s Project Zero first discovered Spectre-NG. Project Zero is Google’s attempt at finding and responsibly disclosing zero-day vulnerabilities before nefarious individuals. That they have found at least one of the new Spectre-NG flaws means there could well be security patches in the near future as the Project Zero team are renowned for sticking to the 90-day disclosure deadline. (The 90-days is meant to give a company ample time to address issues.)
But after that time, the Project Zero team will release details of the vulnerability, even without a working patch.
When Your System Be Patched?
Unfortunately, there is no solid timeline for when your system will receive a security patch for Spectre-NG. Given that this vulnerability is a) completely new and b) difficult to take advantage of, engineers will take some time to make sure patches resolve the issue.
In fact, Intel reportedly asked the researchers for an additional 14-days preparation before disclosing the flaws. However, the research team continued with their disclosure timeline. Intel was set to issue a patch on the 7th May. However, the additional 14-day period, taking the patch to the 21st May, also looks set to fall by the wayside. But given their request for additional time, Intel customers should expect a patch shortly.
The scope of Spectre-NG (and Spectre/Meltdown before this) make patching the vulnerability difficult.
The previous series of patches for Spectre didn’t meet universal praise. As the Spectre patches began to roll out, users noticed issues with their systems. Glitches, newly created bugs, slower CPU clock speeds and more were all reported. As such, some companies withdrew their patches until they could be optimized. But with such a vast number of vulnerable CPUs providing a single Band-Aid was highly unlikely. Especially at the first attempt.
Other companies took a different approach. For instance, Microsoft now offers up to $250,000 in their bug bounty program for Spectre flaws.
Will Spectre-NG Exploit Your System?
One of the saving graces to the first round of Spectre vulnerabilities was the extreme difficulty of actually using one of the exploits against a target successfully. The average attacker wouldn’t be able to make use of Spectre (or Meltdown) because of the overwhelming amount of knowledge required. Unfortunately, this particular Spectre-NG exploit appears easier to implement—though still not an easy task, by any stretch of the imagination.
meltdown, spectre, branchscope and now spectre-NG… from a security standpoint Intel's silicon looks like a burning pile of shit. I hope they and the industry get their act together and stop cutting corners to boost benchmarks. ^HU
— Whonix (@Whonix) May 6, 2018
The simple fact of the matter is that there are other much easier exploitable avenues available to an attacker. Or at least the type of online attack that the majority of us would encounter day-to-day.
Still, that isn’t to diminish from the fact that the vast majority of CPUs around the globe have some form of Spectre/Meltdown or Spectre-NG vulnerability. The first round of patches is the tip of an iceberg that is unfathomably deep. Patches are obviously necessary. But an endless stream of patches with sometimes unpredictable results? That won’t do.
Check Your System Spectre/Meltdown Vulnerability Status
The InSpectre: Check Spectre and Meltdown Protection tool is a quick way to find out if your system is vulnerable. Follow the link above and download the tool. Next, run the tool and check out your level of protection. As you can see below, my laptop has Meltdown protection but is vulnerable to Spectre.
You can scroll down to find out more your PCs security situation and what Spectre/Meltdown mean.
Are AMD CPUs Vulnerable to Spectre-NG?
At the time of writing, more research into AMD CPUs is underway. There is no definitive answer. The general conjecture seems to lean toward AMD CPUs being unaffected by this particular set of vulnerabilities. But again, this isn’t a final answer.
The previous round of vulnerabilities was thought to have passed by AMD, only for the CPU manufacturer to later realize the opposite is true. So, right now; sure, you’re okay. But in a week, after more significant testing? You could well find your AMD system is vulnerable, too.
Spectre Continues to Loom Large
The Spectre-NG set of vulnerabilities adds to the list of worrying CPU-level vulnerabilities. Does Intel need to fix them? Of course, without a doubt. Can Intel fix them without redesigning their CPU architecture? This is the more difficult question to answer. The consensus is that no, Intel cannot completely eradicate the Spectre vulnerability without significantly altering their CPU design.
After all, it’s not like Intel can recall and manually fix the billions of CPUs in circulation. In that, Spectre will continue to loom large, even if it is difficult to exploit.