Spectre Watch: More Spectre-class CPU Vulnerabilities to be Announced Soon?
by Ryan Smith on May 3, 2018 1:45 PM ESTThis morning has seen an interesting turn of events in the world of processor security. c't magazine has published an exclusive report stating that they got wind of a new series of Spectre-class vulnerabilities that are currently being investigated by the greater security community, and that these vulnerabilities are going to be announced in the coming days. Meanwhile, seemingly in response to the c't article, Intel has just published their own statement on the matter, which they’re calling “Addressing Questions Regarding Additional Security Issues.”
Diving right into Intel’s announcement:
Protecting our customers’ data and ensuring the security of our products are critical priorities for us. We routinely work closely with customers, partners, other chipmakers and researchers to understand and mitigate any issues that are identified, and part of this process involves reserving blocks of CVE numbers. We believe strongly in the value of coordinated disclosure and will share additional details on any potential issues as we finalize mitigations. As a best practice, we continue to encourage everyone to keep their systems up-to-date.
For more information on how we approach product security at Intel, please see my recent blog, “Bringing the Security-First Pledge to Life with New Intel Product Assurance and Security Group.”
— Leslie Culbertson
As things are currently unfolding, this is a very similar trajectory to the original announcement of the Meltdown and Spectre vulnerabilities, in which information about those vulnerabilities was leaked and pieced together ahead of the official coordinated announcement. Philosophies on disclosure policies notwithstanding, what we eventually saw was an accelerated release of information on those vulnerabilities, and a good bit of chaos as vendors suddenly had publish materials they were still preparing for a few days later. Intel’s early response here seems to be an effort to avoid chaos that by getting on top of things early, acknowledging the public's concerns and responding by outlining their coordinated release plans so that they can move ahead with things as-planned.
Which is to say that while Intel’s announcement confirms that something is up, it doesn’t offer any concrete details about what’s going on. For that – and assuming things don’t fall apart like the Meltdown/Spectre coordination – we’re presumably going to be waiting until next week on proper details.
As for the c't report, sources point to 8 individual CVE-assigned Spectre-class attacks, which for the moment they’re calling Spectre-NG. According to the site, Intel is working on two waves of patches, with the first wave currently set to be released in May, and c't is further speculating that information on the first wave will be released just ahead of May’s Patch Tuesday. Meanwhile information on a second flaw could be released “any day now.” And while the bulk of the report focuses on Intel – as this would seem to be the information c't had at hand – the site notes that ARM looks to be impacted as well, and AMD is likely but to-be-determined.
Of particular interest, the one exploit which c't is providing any details about is another VM-host attack, making it similar in risk to cloud server hosts as the original Meltdown. As these customers are Intel's bread & butter from a profitability standpoint, Intel will want to move very quickly to fix the issue before it can be exploited on customers’ servers, and to soothe their customers' concerns in the process.
Overall, while the nature of the report means we can’t confirm anything about their claims, on the whole it appears sound, and these claims are consistent with prior concerns raised by security researchers. Researchers have warned as far back as the original Spectre whitepaper that Spectre is a whole class of attacks – that it would be the ghost that wouldn't go away – as new ways are found to exploit the same fundamental weakness. Similar to other pivotal vulnerability discoveries, the nature of these side-channel attacks means that they are very powerful and still new enough that they’re not very well understood. So there has been and continues to be an ongoing concern that researchers and criminals alike will continue to find ways to use side-channel attacks against speculative execution, as seems to be the case now.
Ultimately, all of this is going to put increasing pressure on all CPU vendors to definitively answer a critical question: is speculative execution fundamentally unsafe, or can it be retained while it’s made safe? As one of the cornerstones of modern high-performance processors, the answer to that could shape the face of CPUs for years to come…
77 Comments
View All Comments
HStewart - Thursday, May 3, 2018 - link
The mention article was in German, but it had no technical merits to back up its claim. If the reports are existing Spectre issues than why repeat the information and just state patching the OS with updates is not the fix.In my opinion, this is deliberate attempt to bring up an issue to bring attention to themselves. Maybe this German site - wants to bring attention to find a way to get the $250,000 from Microsoft. But are they doing more harm than value?
Reflex - Thursday, May 3, 2018 - link
I'm not certain what your issue is here. This is a news organization, they are reporting the news. They do not need to wait for confirmation so long as they are clear not to claim the news they are reporting is confirmed.HStewart - Friday, May 4, 2018 - link
It not news in forums - it is opinions - real news is based on facts.Reflex - Friday, May 4, 2018 - link
I think you don't understand the meaning of the words news or opinions.HStewart - Thursday, May 3, 2018 - link
"No developer intentionally makes mistakes"this is nonsense and out of reference to subject - I am not talking about normal development code - this would not be an security issue - but instead we are talking about virus and malware that attempts to inject themselves into OS flaws - my opinion the OS should not allow this to happen - unless there is a flaw that prevents the OS from getting exception from a non-Ring 0 code accessing Ring 0 data.
Colin1497 - Thursday, May 3, 2018 - link
Not sure if you're just intentionally being obtuse or what, but it's Heise that is reporting this, not some random web site desperate for publicity.Also, the whole point of these flaws is that the OS can't prevent them. They are hardware problems that allow non-ring 0 to access ring 0. Saying that the OS should fix these hardware flaws displays a complete lack of comprehension of what's being discussed. You should probably go back and read some of the papers on Spectre rather than posting in these comments.
Reflex - Thursday, May 3, 2018 - link
This right here. It's really clear that HStewart does not understand Spectre or the types of vulnerabilities it enables. Or basic computer security. Or the reasons why bug bounty programs exist. Or the fact that code is code and 'normal development code' has no actual meaning...HStewart - Friday, May 4, 2018 - link
keep in mind I did my OS development about 16 years ago - I do remember finding erratum in an IBM 486SLC which had hardware bug where the cache was inverted. But if there is reliable case that it processor allows access to ring 0 data from non-ring 0 this should be corrected - but if something that OS leaves open - then the OS should be correct.But it is interesting that Spectre is only in cloud servers - which sounds like OS issue - I believe if I remember right Linux servers first heard about this.
Reflex - Friday, May 4, 2018 - link
Spectre is an issue in all systems. It is not only in cloud servers. Cloud servers merely have more avenues where exploitation of Spectre would be advantageous for attackers.Spectre is also not OS specific, it impacts all major OS's ranging from Windows to Linux and OS X and their derivatives.
Spunjji - Friday, May 4, 2018 - link
Please understand I mean nothing personal when I say that this comment is completely without merit. Bad actors already have incentives to find vulnerabilities (the pay-off of whatever it is they want to do, e.g. steal financial information, sabotage another government's infrastructure, etc.) so, yes, it is of unquestionable value that we provide incentives to white-hats to find the same kind of flaws first and successfully document and patch them.The article mentions Intel in the context of an Intel announcement. Would you like them to make up announcements from AMD and ARM to go with it?
The article explains why there is no "legitimate description" - it's not yet fully investigated.
In summary, please read more and type less.