This morning has seen an interesting turn of events in the world of processor security. c't magazine has published an exclusive report stating that they got wind of a new series of Spectre-class vulnerabilities that are currently being investigated by the greater security community, and that these vulnerabilities are going to be announced in the coming days. Meanwhile, seemingly in response to the c't article, Intel has just published their own statement on the matter, which they’re calling “Addressing Questions Regarding Additional Security Issues.”

Diving right into Intel’s announcement:

Protecting our customers’ data and ensuring the security of our products are critical priorities for us. We routinely work closely with customers, partners, other chipmakers and researchers to understand and mitigate any issues that are identified, and part of this process involves reserving blocks of CVE numbers. We believe strongly in the value of coordinated disclosure and will share additional details on any potential issues as we finalize mitigations. As a best practice, we continue to encourage everyone to keep their systems up-to-date.

For more information on how we approach product security at Intel, please see my recent blog, “Bringing the Security-First Pledge to Life with New Intel Product Assurance and Security Group.”

— Leslie Culbertson

As things are currently unfolding, this is a very similar trajectory to the original announcement of the Meltdown and Spectre vulnerabilities, in which information about those vulnerabilities was leaked and pieced together ahead of the official coordinated announcement. Philosophies on disclosure policies notwithstanding, what we eventually saw was an accelerated release of information on those vulnerabilities, and a good bit of chaos as vendors suddenly had publish materials they were still preparing for a few days later. Intel’s early response here seems to be an effort to avoid chaos that by getting on top of things early, acknowledging the public's concerns and responding by outlining their coordinated release plans so that they can move ahead with things as-planned.

Which is to say that while Intel’s announcement confirms that something is up, it doesn’t offer any concrete details about what’s going on. For that – and assuming things don’t fall apart like the Meltdown/Spectre coordination – we’re presumably going to be waiting until next week on proper details.

As for the c't report, sources point to 8 individual CVE-assigned Spectre-class attacks, which for the moment they’re calling Spectre-NG. According to the site, Intel is working on two waves of patches, with the first wave currently set to be released in May, and c't is further speculating that information on the first wave will be released just ahead of May’s Patch Tuesday. Meanwhile information on a second flaw could be released “any day now.” And while the bulk of the report focuses on Intel – as this would seem to be the information c't had at hand – the site notes that ARM looks to be impacted as well, and AMD is likely but to-be-determined.

Of particular interest, the one exploit which c't is providing any details about is another VM-host attack, making it similar in risk to cloud server hosts as the original Meltdown. As these customers are Intel's bread & butter from a profitability standpoint, Intel will want to move very quickly to fix the issue before it can be exploited on customers’ servers, and to soothe their customers' concerns in the process.

Overall, while the nature of the report means we can’t confirm anything about their claims, on the whole it appears sound, and these claims are consistent with prior concerns raised by security researchers. Researchers have warned as far back as the original Spectre whitepaper that Spectre is a whole class of attacks – that it would be the ghost that wouldn't go away – as new ways are found to exploit the same fundamental weakness. Similar to other pivotal vulnerability discoveries, the nature of these side-channel attacks means that they are very powerful and still new enough that they’re not very well understood. So there has been and continues to be an ongoing concern that researchers and criminals alike will continue to find ways to use side-channel attacks against speculative execution, as seems to be the case now.

Ultimately, all of this is going to put increasing pressure on all CPU vendors to definitively answer a critical question: is speculative execution fundamentally unsafe, or can it be retained while it’s made safe? As one of the cornerstones of modern high-performance processors, the answer to that could shape the face of CPUs for years to come…

Comments Locked

77 Comments

View All Comments

  • eastcoast_pete - Thursday, May 3, 2018 - link

    If I read the article in heise.de correctly, at least one of the newly discovered "spectre-new generation" vulnerabilities is actually even more dangerous than spectre ever was, as this new one allows attacks on other virtual machines running on the same machine, including possibly all VMs on that server. This means that AWS, Azure etc. are vulnerable. They, in turn, have various US and other government agencies as their clients, and the information in question can be quite sensitive. As to the "is this real?' question: just read the statement released by Intel in response to questions by heise.de for comment. Intel's answer is quoted verbatim in the article above. Note that Intel does not deny ANY of these vulnerabilities, nor do they dispute the severity of the problem. AMD apparently had "no comment", but a safe assumption is that they might be just as badly affected. So, if your job is somehow linked to keeping proprietary or secret information proprietary and secret, and if you or your users (including customers) utilize VMs and cloud services, then yes, that should concern you. If you're just browsing the web from your gaming rig or your smartphone and practice "basic online hygiene", you're probably okay for now.
  • LordanSS - Friday, May 4, 2018 - link

    Having a solid but disagreeable opinion is one thing. Having nonsense is something else altogether.
  • SydneyBlue120d - Friday, May 4, 2018 - link

    Could this be the real reason behind Jim Keller hiring?
  • eva02langley - Friday, May 4, 2018 - link

    Nah, it is more for everything. I really doubt he is going to focus on such low level issues. People at his positions are more high level managers.
  • wow&wow - Friday, May 4, 2018 - link

    Whatever, they will be patched anyway, but what is amazing and not acceptable is that according to the Intel CEO not following the privilege levels defined by the company itself and requiring OS kernel relocation is the intended design, no bug, amazing!

    Even more amazing, people accept it and allow the company keep selling and launching the faulty products with the intended design flaw inside!
  • haukionkannel - Friday, May 4, 2018 - link

    Interesting to be seing is how long time it will take Until these new problems Are corrected at hardware level. We Are suposed to see 2019 prosessors that may be fixed for Meltdown and spectre... maybe... And now we have new problems that Are fixed in 2020-2021? At hardware level I mean. Softaware fixes will come Sooner ofcourse...
  • Beaver M. - Sunday, May 6, 2018 - link

    CPUs that doesnt have these exploits fixed on hardware side should be 50% cheaper at least. But instead I still see them at full price.
    Seriously, WTF is wrong wit the economy if such huge flaws dont make a dent on prices?

Log in

Don't have an account? Sign up now