This morning has seen an interesting turn of events in the world of processor security. c't magazine has published an exclusive report stating that they got wind of a new series of Spectre-class vulnerabilities that are currently being investigated by the greater security community, and that these vulnerabilities are going to be announced in the coming days. Meanwhile, seemingly in response to the c't article, Intel has just published their own statement on the matter, which they’re calling “Addressing Questions Regarding Additional Security Issues.”

Diving right into Intel’s announcement:

Protecting our customers’ data and ensuring the security of our products are critical priorities for us. We routinely work closely with customers, partners, other chipmakers and researchers to understand and mitigate any issues that are identified, and part of this process involves reserving blocks of CVE numbers. We believe strongly in the value of coordinated disclosure and will share additional details on any potential issues as we finalize mitigations. As a best practice, we continue to encourage everyone to keep their systems up-to-date.

For more information on how we approach product security at Intel, please see my recent blog, “Bringing the Security-First Pledge to Life with New Intel Product Assurance and Security Group.”

— Leslie Culbertson

As things are currently unfolding, this is a very similar trajectory to the original announcement of the Meltdown and Spectre vulnerabilities, in which information about those vulnerabilities was leaked and pieced together ahead of the official coordinated announcement. Philosophies on disclosure policies notwithstanding, what we eventually saw was an accelerated release of information on those vulnerabilities, and a good bit of chaos as vendors suddenly had publish materials they were still preparing for a few days later. Intel’s early response here seems to be an effort to avoid chaos that by getting on top of things early, acknowledging the public's concerns and responding by outlining their coordinated release plans so that they can move ahead with things as-planned.

Which is to say that while Intel’s announcement confirms that something is up, it doesn’t offer any concrete details about what’s going on. For that – and assuming things don’t fall apart like the Meltdown/Spectre coordination – we’re presumably going to be waiting until next week on proper details.

As for the c't report, sources point to 8 individual CVE-assigned Spectre-class attacks, which for the moment they’re calling Spectre-NG. According to the site, Intel is working on two waves of patches, with the first wave currently set to be released in May, and c't is further speculating that information on the first wave will be released just ahead of May’s Patch Tuesday. Meanwhile information on a second flaw could be released “any day now.” And while the bulk of the report focuses on Intel – as this would seem to be the information c't had at hand – the site notes that ARM looks to be impacted as well, and AMD is likely but to-be-determined.

Of particular interest, the one exploit which c't is providing any details about is another VM-host attack, making it similar in risk to cloud server hosts as the original Meltdown. As these customers are Intel's bread & butter from a profitability standpoint, Intel will want to move very quickly to fix the issue before it can be exploited on customers’ servers, and to soothe their customers' concerns in the process.

Overall, while the nature of the report means we can’t confirm anything about their claims, on the whole it appears sound, and these claims are consistent with prior concerns raised by security researchers. Researchers have warned as far back as the original Spectre whitepaper that Spectre is a whole class of attacks – that it would be the ghost that wouldn't go away – as new ways are found to exploit the same fundamental weakness. Similar to other pivotal vulnerability discoveries, the nature of these side-channel attacks means that they are very powerful and still new enough that they’re not very well understood. So there has been and continues to be an ongoing concern that researchers and criminals alike will continue to find ways to use side-channel attacks against speculative execution, as seems to be the case now.

Ultimately, all of this is going to put increasing pressure on all CPU vendors to definitively answer a critical question: is speculative execution fundamentally unsafe, or can it be retained while it’s made safe? As one of the cornerstones of modern high-performance processors, the answer to that could shape the face of CPUs for years to come…

Comments Locked

77 Comments

View All Comments

  • Reflex - Friday, May 4, 2018 - link

    Meltdown is already patched. Nothing more to discuss about that one. Spectre's main threat isn't home systems, its cloud based and targeted attacks (for now). You hit someone's infrastructure. Data exfiltration *is* the primary value in attacking corporate networks. And quite frankly that does impact home users when its their data being stored and then leaked.

    I don't expect Spectre to have much of an impact on home users, although that could change since its only started to be explored. I do expect it to have a large impact on the cloud however as it threatens the security of virtualized hosts substantially.
  • HStewart - Friday, May 4, 2018 - link

    Just FYI, there is something called PCI 3.0 compliance - in this situation for example with restaurants - the account cards are not allow to be stored on system at all - so even if they break in the account is not found. In additional for example with VeriFone systems that have implemented full PCI 3.0 compliance - the accounts are driven by tokens ( and in some cases token less ) to if card number is retrieved - it just a token - a pseudo random on for account. Even the developers at VeriFone do not access to original account.

    Of course there older systems that are not compliant. some for those systems, if you could some how intercept the cache. then you can hack it.
  • Sunrise089 - Thursday, May 3, 2018 - link

    Commenting out of love for extremely detailed snake analogy
  • Alexvrb - Thursday, May 3, 2018 - link

    I ran my 386 at half speed (disabled turbo) when things got dicey playing Snake.
  • beginner99 - Friday, May 4, 2018 - link

    Spectre is a huge issue for cloud providers. And if i rent a ec2 instance on amazon you bet I will be running it near 100% fpr most f the time I rent it. That is the point of it. Spectre is a virtualization issue.

    On the other hand you are right. for consumers spectre is a non-issue mostly. If hacker can run spectre, then he could run much more dangerous and easier tools as well. you lost the battle already.
  • epdm2be - Friday, May 4, 2018 - link

    Perhaps it's time to tone down our reliance on cloud-based services?

    Things worked fine in the past without the cloud, so I fail to see why we can't step back. Not to mention that many of these cloud-based systems are nothing more than vendor-lock-in schemes to make easy money.

    @bji thanks for the snake analogy. That was a clear and spot on explanation.
  • Midwayman - Friday, May 4, 2018 - link

    That's the problem with snake control laws though. Only the criminals have snakes then and what are you going to do when attacked with one?
  • epdm2be - Friday, May 4, 2018 - link

    You obviously go to the hospital. They (should) have the necessary anti-venom.
    Why do you wan't to police yourself if you already pay for a policing institute that should catch these criminals in the first place?

    Anyway, have there been real reports of Spectre-compromised systems (yet)?
  • frenchy_2001 - Friday, May 4, 2018 - link

    Spectre does not "compromise" systems, it allows the attacker to extract data and *leaves no trace*.
    This is the danger of it.
    It is a significant risk for *SHARED* computing, like cloud hosts.

    However, it is overblown for home users.
  • Flunk - Friday, May 4, 2018 - link

    That's one of the logical fallacies that the NRA hides behind. It's patently ridiculous. You can just as easily say.

    "That's the problem with rocket launcher laws though. Only the criminals have rocket launchers then and what are you going to do when attacked with one?"

    Or nuclear weapons, napalm, etc. The argument doesn't hold any water unless you want to argue that literally everything should be legal, regardless of how potentially dangerous it is, and then I doubt many people would agree with you.

Log in

Don't have an account? Sign up now