Skip to main content

Intel reportedly gears up to patch 8 Spectre Next Generation CPU flaws

A report by C’T Magazine claims that eight new security flaws found in modern processors will be disclosed by Intel in the near future. Intel hasn’t directly addressed the vulnerabilities claimed in the report, but has confirmed the reservation of Common Vulnerabilities and Exposures (CVE) numbers, which is part of the investigation and mitigation of possible issues. 

“Protecting our customers’ data and ensuring the security of our products are critical priorities for us,” Intel’s Leslie Culbertson said in a statement on Thursday, May 3. “We routinely work closely with customers, partners, other chipmakers and researchers to understand and mitigate any issues that are identified, and part of this process involves reserving blocks of CVE numbers. We believe strongly in the value of coordinated disclosure and will share additional details on any potential issues as we finalize mitigations. As a best practice, we continue to encourage everyone to keep their systems up to date.” 

According to the report, Meltdown and Spectre weren’t the last of the flaws discovered in modern processor designs. Several research teams have reportedly already disclosed eight new security flaws to Intel, all of which stem from the same design problem. The details regarding these eight flaws are unknown, but they are currently dubbed as Spectre Next Generation. 

Don’t let the Star Trek-like name fool you, each flaw will have its own CVE number just like Meltdown and Spectre. Thus, Intel will be required to provide eight different patches.

The Spectre Next Generation patches will supposedly be provided in two waves: The first in May and the second in August. Intel classifies four as “high risk,” so we should expect to see those mitigations this month, while the “medium” vulnerabilities may be fixed this summer.

The flaws are reportedly similar to the original Spectre exploits, save for one that poses a higher risk than Spectre Variant 1 and Variant 2. It could allow a hacker to launch malicious code in a virtual machine, which is a software emulation of a fully functional PC. They are typically used in corporate environments to reduce hardware costs, and run on high-powered data center servers.

Still, the exploit could allow the hacker to attack the host server through a virtual machine, giving the individual access to all the information stored in the server’s memory. That is a problem when servers are running multiple virtual machines simultaneously. 

“Passwords and secret keys for secure data transmission are highly sought-after targets on cloud systems and are acutely endangered by this gap,” the report states. “Intel’s Software Guard Extensions (SGX), which are designed to protect sensitive data on cloud servers, are also not Spectre-safe.” 

Intel isn’t the only CPU maker facing additional patches. The report says some ARM-based processors are also vulnerable to the Spectre Next Generation flaws, while researchers are currently investigating AMD’s processor family for similar vulnerabilities. 

Editors' Recommendations

Kevin Parrish
Former Digital Trends Contributor
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
Intel’s 9th-generation ‘Ice Lake’ CPUs will have fixes for Meltdown, Spectre
Intel Meltdown

At the beginning of Intel's fourth quarter 2017 earnings conference call, CEO Brian Krzanich immediately jumped into an update about patching the Meltdown and Spectre security issues found with the company's processors. He confirmed that Intel is currently working on silicon-based changes for upcoming products that will address the problems on a hardware level. These products are expected to hit the market later in 2018. 
Krzanich also hinted at the current problems Intel faces with the first software-based patch addressing Meltdown.  
"While we made progress, I'm acutely aware that we have more to do, we've committed to being transparent keeping our customers and owners appraised of our progress and through our actions, building trust," he said. "Our near-term focus is on delivering high-quality mitigations to protect our customers' infrastructure from these exploits." 
Speculation points to knowledge of the Meltdown and Spectre issues long before acknowledging them in public. That is because processor designs remain locked for at least a year before they become products sold on the market. Intel's ninth-generation "Ice Lake" family of processors is expected to launch by the end of 2018 or in early 2019 based on 10nm process technology. Thus, the fixes needed to be in place prior to December 2017.  
Google's Project Zero team went public with its Meltdown and Spectre findings at the beginning of January. But Intel already knew about the problems and admits it began distributing firmware updates to hardware partners in early December. It addressed five generations of Intel processors, only customers began reporting an unusually high number of system reboots after applying the update. As Krzanich said in his opening statement, Intel still has "more to do." 
That said, how long Intel knew about the issues prior to the public exposure is unknown at this point. The next processor family slated to hit the market is Intel's eighth-generation "Cannon Lake" chips in early 2018, the company's first processors based on 10nm process technology. It's essentially a smaller version of Intel's seventh-generation processor design, aka Kaby Lake, so hardware-based fixes for Meltdown and Spectre likely won't be present. 
Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715) are three exploits presented by Google Project Zero, Cybrus Technology, and Graz University of Technology. They take advantage of how modern processors "think ahead" while computing multiple instructions using a technique called speculative execution. Processors "predict" the outcome of their tasks based on information stored in memory, thus speeding up the overall computing process. The exploits manage to access all that unsecured data. 
The problem exists in all processors dating back to at least 2011 from Intel and AMD (x86), and those manufactured by Samsung, Qualcomm, and others based on ARM's mobile processor architecture. Hardware companies are scrambling to patch what they can through software-based updates, and directly to the hardware in future processor releases as indicated by Intel.  
"Security has always been a priority for us and these events reinforce our continuous mission to develop the world's most secured products," Krzanich said. "This will be an ongoing journey." 

Read more
Microsoft’s latest Windows 10 patch will address Spectre Variant 2 CPU flaw
intel could make billions off meltdown spectre insecure exploits processor

Microsoft now provides a new manual update for Windows 10 devices based on sixth-generation Intel processors. It addresses the Spectre Variant 2 flaw in these CPUs, which could give hackers access to sensitive information if they have direct contact with the device. The fix is specifically for Windows 10 version 1709 (Fall Creators Update) and Windows Server version 1709 (Server Core). 
The update applies to most Intel sixth-generation processors in the mainstream market: High-performance desktop chips (S), high-performance mobile chips (H), low-power mobile CPUs (U), ultra-low-power chips in tablets (Y), and those that fall under Intel's Skylake-U32e umbrella. You can determine the generation of your CPU by the number following the hyphen in its name, such as the "6" in the Core i7-6820HK laptop CPU. 
The manual Windows 10 update arrives after Intel issued revised updates addressing the Meltdown and Spectre exploits uncovered by Google Project Zero. The company began rolling out fixes in December 2017 just before the exploits when live, but Intel soon pulled the distributions based on reports of incompatibility and frequent system reboots. 
In addition to addressing security issues in sixth-generation CPUs, Intel newest update also attacks Meltdown and Spectre on seventh-generation (Kaby Lake) and eighth-generation (Coffee Lake) chips. That includes the company's Core-branded processors, the massive Core-X chips, Xeon Scalable CPUs, and the Xeon D processors. But Microsoft's manual update only applies to sixth-generation chips. 
"This update is a standalone update available through the Microsoft Update Catalog," the company says. "This update also includes Intel microcode updates that were already released for these Operating Systems at the time of Release To Manufacturing (RTM). We will offer additional microcode updates from Intel thru this KB Article for these Operating Systems as they become available to Microsoft." 
Typically, device owners can grab the Meltdown and Spectra updates in three ways: through motherboard manufacturers and device manufacturers like Dell and HP, and through Microsoft via Windows Update. For the former two, refreshed firmware updates the processor with new microcode. Meanwhile, Windows does something similar as it boots the device. 
But in this case, Microsoft makes the Spectre patch available through the Microsoft Update Catalog for a wide, manual distribution across multiple Windows 10 devices. There are two patches provided by Microsoft, one of which is designed for x64-based systems. After installation, you may be required to start your PC. 
Previously, Microsoft issued an update for Spectre Variant 2 for Windows 7 SP1, Windows 8.1, and Windows 10, but issued another update to reverse the mitigation due to performance issues and unexpected reboots. On January 22, Intel requested that all device manufacturers and operating system developers cease distributing updates until Intel addressed the issues. Now the company appears to be quite confident that it squashed all the microcode bugs. 
"This effort has included extensive testing by customers and industry partners to ensure the updated versions are ready for production," Navin Shenoy, Intel's executive vice president and general manager of the Data Center Group, said in a statement. "On behalf of all of Intel, I thank each and every one of our customers and partners for their hard work and partnership throughout this process." 

Read more
Intel warned Chinese tech firms of security flaws before telling U.S. government
top tech stories intel

Intel warned certain customers, including Chinese tech firms, of the Spectre and Meltdown security flaws before notifying the United States government, the Wall Street Journal reported. The flaws were first discovered by Google's Project Zero team in June 2017. Intel held off on disclosing the issue while it worked on possible fixes. The company planned to make the announcement on January 9, but The Register broke the story on January 2. Intel then confirmed the news the next day.

Intel did notify several major tech firms in an effort to limit the potential damage and help work on fixes. A representative from the Department of Homeland Security said that the department did not learn of the flaws until the news was broken, however. Homeland Security is often notified of such issues before the public, and often acts as a source of guidance for how to address them.

Read more