The Spectre and Meltdown flaws were so fun, why don't we do it all again?
Last week, German media outlet Heise Security first reported that there is another round of Meltdown and Spectre-like flaws that will need fixing in Intel chips. The flaws are collectively being referred to as "Spectre: The Next Generation."
The first trio of Meltdown and Spectre flaws came to light on Jan. 3. They involve speculative execution, a CPU optimization technique that's widely used in modern processors. But the functionality, which is physically built into processors, can be targeted via a trio of "side-channel attacks" to trigger information leaks (see Intel Faces 32 Spectre/Meltdown Lawsuits).
Intel, AMD and ARM say they first learned of the flaws in June 2017, thanks to a Google research team. The flaws are present in billions of devices made over the past 20 years.
Chipmakers have begun shipping fixes for chips manufactured in recent years, although not all of the flaws can be fully eradicated in all chips, and some fixes have introduced new problems, including the need for frequent rebooting (see Intel: Stop Installing Patches Due to Reboot Problems).
Some of the fixes also carry notable performance problems, especially for servers as well as other devices that do not use the latest CPUs and operating systems (see Intel Confirms Fresh Spectre, Meltdown Patch Problems).
8 New Flaws
Heise has reported that there are eight new flaws, four of which are high risk and one of which poses a much greater danger than any of the three Spectre/Meltdown flaws that have already come to light.
On Monday, Heise reported that Intel has been planning for a coordinated vulnerability announcement with Google Project Zero - and perhaps others - on May 21, although it's attempting to delay it until at least July 10. It's not clear if any other chipmakers might be affected.
Heise reports that the new flaws affect a range of chips used across PCs, laptops, severs, smartphones, tablets and embedded devices. Affected chips include Intel Core i - and Xeon derivatives - built since they were first released in 2010, as well as Atom-based Pentium, Celeron and Atom processors built since 2013. All affected chips will require microcode updates, and operating systems will also need to be updated, according to the report.
An Intel spokeswoman declined to comment on the report or a potential coordinated vulnerability disclosure timeline. Instead, she referred me to a statement released on Thursday by Leslie Culbertson, Intel's general manager of product assurance and security:
"Protecting our customers' data and ensuring the security of our products are critical priorities for us. We routinely work closely with customers, partners, other chipmakers and researchers to understand and mitigate any issues that are identified, and part of this process involves reserving blocks of CVE numbers. We believe strongly in the value of coordinated disclosure and will share additional details on any potential issues as we finalize mitigations. As a best practice, we continue to encourage everyone to keep their systems up-to-date."
In short: Stay tuned.
Follows 'AMD Flaws' Disclosure
News of the eight fresh flaws follows an Israeli firm, CTS, issuing a website and white paper on "AMD Flaws," outlining 13 problems it says it found in AMD's Zen processors, including EPYC, Ryzen, Ryzen Pro and Ryzen Mobile.
Controversially, the company said that while it stood by its research, "we may have, either directly or indirectly, an economic interest in the performance of the securities of the companies whose products are the subject of our reports."
None of those 13 flaws appeared to be speculative execution problems (see AMD Chipset Flaws Are Real, But Experts Question Disclosure).
Cold, Hard Cash for Finding Flaws
Security experts have been predicting that as more Ph.D. students, nation-state attackers, computer scientists and information security researchers begin hammering away at microprocessor security, it's only a matter of time before new chip-level flaws come to light (see Expect More Cybersecurity 'Meltdowns').
To help spur things along, until the end of this year, Intel and Microsoft are offering cold, hard cash to any researchers that find new speculative execution flaws (see Microsoft Offers Payouts for New Spectre, Meltdown Flaws).