Video: AMD and Microsoft join forces to block Spectre attacks.
Intel says it’s “finalizing mitigations”, following a report by German tech site heise.de claiming its CPUs are affected by eight new “Spectre-class” vulnerabilities, including one found by Google’s Project Zero, which identified the first set of CPU flaws known as Meltdown and Spectre.
The site reports that the bugs have been assigned CVE identifiers and that at least one of them will be revealed by Project Zero on May 7, a day ahead of Patch Tuesday, which Microsoft recently begun using to distribute Intel’s hardware patches or microcode updates.
The site says it has concrete evidence that Intel processors are vulnerable to the new flaws and that the chipmaker has patches in the works. AMD CPUs may also be vulnerable and further research on that issue is under way.
Intel has issued a cryptic statement citing additional “security issues” but confirms it is preparing mitigations without clarifying what they’re for.
“Protecting our customers’ data and ensuring the security of our products are critical priorities for us. We routinely work closely with customers, partners, other chipmakers and researchers to understand and mitigate any issues that are identified, and part of this process involves reserving blocks of CVE numbers,” wrote Leslie Culbertson, Intel executive vice president.
“We believe strongly in the value of coordinated disclosure and will share additional details on any potential issues as we finalize mitigations. As a best practice, we continue to encourage everyone to keep their systems up to date.”
According to Heise, four of the vulnerabilities are being treated as “high risk” and, as with the previously found Spectre flaws, they impact cloud providers due to an ability to attack a host system from a virtual machine, allowing an attacker to extract secrets and passwords from the host machine’s memory.
Spectre Variant 2, a branch target injection flaw, concerns cloud providers because of the risk of it being used to enable a hypervisor bypass. Fixing it required microcode updates from Intel and AMD.
Heise notes that while the original Spectre bugs are difficult to exploit, the new Spectre vulnerabilities are more easily used.
Reports of the new bugs come just a month after Intel completed delivery of microcode updates to address Spectre Variant 2 for all chip families released in the past decade.
As of March, Microsoft has assisted Intel to deploy these updates, which were originally being deployed by hardware manufacturers.
Previous and related coverage
Microsoft releases new Windows updates to address the Spectre variant 2 flaw affecting Intel chips.
AMD has released microcode updates for Spectre variant 2 that require Microsoft’s latest Windows 10 patch.
A handful of CPU families that Intel was due to patch will now forever remain vulnerable.
Intel has listed a range of CPUs released between 2007 and 2011 that will not receive a firmware update to help guard against Spectre-related exploits.
Since the beginning of 2018, the number of cases has risen from three to 32.