This morning has seen an interesting turn of events in the world of processor security. c't magazine has published an exclusive report stating that they got wind of a new series of Spectre-class vulnerabilities that are currently being investigated by the greater security community, and that these vulnerabilities are going to be announced in the coming days. Meanwhile, seemingly in response to the c't article, Intel has just published their own statement on the matter, which they’re calling “Addressing Questions Regarding Additional Security Issues.”

Diving right into Intel’s announcement:

Protecting our customers’ data and ensuring the security of our products are critical priorities for us. We routinely work closely with customers, partners, other chipmakers and researchers to understand and mitigate any issues that are identified, and part of this process involves reserving blocks of CVE numbers. We believe strongly in the value of coordinated disclosure and will share additional details on any potential issues as we finalize mitigations. As a best practice, we continue to encourage everyone to keep their systems up-to-date.

For more information on how we approach product security at Intel, please see my recent blog, “Bringing the Security-First Pledge to Life with New Intel Product Assurance and Security Group.”

— Leslie Culbertson

As things are currently unfolding, this is a very similar trajectory to the original announcement of the Meltdown and Spectre vulnerabilities, in which information about those vulnerabilities was leaked and pieced together ahead of the official coordinated announcement. Philosophies on disclosure policies notwithstanding, what we eventually saw was an accelerated release of information on those vulnerabilities, and a good bit of chaos as vendors suddenly had publish materials they were still preparing for a few days later. Intel’s early response here seems to be an effort to avoid chaos that by getting on top of things early, acknowledging the public's concerns and responding by outlining their coordinated release plans so that they can move ahead with things as-planned.

Which is to say that while Intel’s announcement confirms that something is up, it doesn’t offer any concrete details about what’s going on. For that – and assuming things don’t fall apart like the Meltdown/Spectre coordination – we’re presumably going to be waiting until next week on proper details.

As for the c't report, sources point to 8 individual CVE-assigned Spectre-class attacks, which for the moment they’re calling Spectre-NG. According to the site, Intel is working on two waves of patches, with the first wave currently set to be released in May, and c't is further speculating that information on the first wave will be released just ahead of May’s Patch Tuesday. Meanwhile information on a second flaw could be released “any day now.” And while the bulk of the report focuses on Intel – as this would seem to be the information c't had at hand – the site notes that ARM looks to be impacted as well, and AMD is likely but to-be-determined.

Of particular interest, the one exploit which c't is providing any details about is another VM-host attack, making it similar in risk to cloud server hosts as the original Meltdown. As these customers are Intel's bread & butter from a profitability standpoint, Intel will want to move very quickly to fix the issue before it can be exploited on customers’ servers, and to soothe their customers' concerns in the process.

Overall, while the nature of the report means we can’t confirm anything about their claims, on the whole it appears sound, and these claims are consistent with prior concerns raised by security researchers. Researchers have warned as far back as the original Spectre whitepaper that Spectre is a whole class of attacks – that it would be the ghost that wouldn't go away – as new ways are found to exploit the same fundamental weakness. Similar to other pivotal vulnerability discoveries, the nature of these side-channel attacks means that they are very powerful and still new enough that they’re not very well understood. So there has been and continues to be an ongoing concern that researchers and criminals alike will continue to find ways to use side-channel attacks against speculative execution, as seems to be the case now.

Ultimately, all of this is going to put increasing pressure on all CPU vendors to definitively answer a critical question: is speculative execution fundamentally unsafe, or can it be retained while it’s made safe? As one of the cornerstones of modern high-performance processors, the answer to that could shape the face of CPUs for years to come…

Comments Locked

77 Comments

View All Comments

  • eva02langley - Thursday, May 3, 2018 - link

    Not again, just please, part with your bias.
  • HStewart - Thursday, May 3, 2018 - link

    There is no bias here - just opinion - that I think that this stuff is so over blown - and that anybody who does not think the real problem is with people who make virus and malware then they are probably in with the same people.

    I just concern the site ( not Amandtech but the German one ) did not provide any thing to back up there claims - just that they got 8 new issues. How reliable is that! They are the one that show bias.
  • ಬುಲ್ವಿಂಕಲ್ ಜೆ ಮೂಸ್ - Thursday, May 3, 2018 - link

    Why should he part with something so positive as bias?

    If it were a negative, you could never prove it, making your statement pointless!

    Just ask Reflex
  • eva02langley - Friday, May 4, 2018 - link

    His point is kind of using the wrong terminology, what he wanted to say is that you cannot define unknowns that are unknowns.

    Project Management 101.
  • willis936 - Thursday, May 3, 2018 - link

    >I think we should ask the big question, are these researchers helping or hurting the industry?

    This isn't a big question. This isn't really a question at all at this point because the answer has existed for decades.
  • HStewart - Thursday, May 3, 2018 - link

    It is still the real problem, if we did not have virus and malware, than this would not be an issue.
  • willis936 - Thursday, May 3, 2018 - link

    And as quickly as it is researched publicly it is researched even faster by governments and people that have a financial or defense interest in exploiting vulnerabilities. What are you trying to argue against? The very use of computers?
  • HStewart - Thursday, May 3, 2018 - link

    "What are you trying to argue against? The very use of computers?"

    So creating Virus or Malware is the very use of computers? as a developer, I would say no - it trying to inject bad code on to customer system to create harm to customer.

    All I am saying that is real threat here. So I believe this should be handle by OS.
  • XsjadoKoncept - Thursday, May 3, 2018 - link

    Jesus man, how little sense can you make, and how close minded can you be? It's like saying that if governments stopped running domestic intelligence agencies to deter foreign governments from spying by figuring out how they get info and stopping it, then magically the foreign governments will just stop spying.

    I do dev in the finance industry - if there was a class of attack that went unknown for even a few months because bad actors got there first then we could be open to millions in losses, even bankruptcy - the internet as a marketplace would die instantly as nobody could trust it.

    These people pay researchers via bounties, because exploits that remain unknown cost *FAR* more in the long run, and could kill the company entirely, either directly by allowing a competitor to supplant them - or by killing their industry entirely.
  • FunBunny2 - Friday, May 4, 2018 - link

    "These people pay researchers via bounties, because exploits that remain unknown cost *FAR* more in the long run, and could kill the company entirely, either directly by allowing a competitor to supplant them - or by killing their industry entirely."

    experience, to date, is that FIRE industry has gotten off with little more than slaps on the wrist for their mal/non feasance. the current administration isn't going to hold their feet any closer to the fire (pun intended).

Log in

Don't have an account? Sign up now