A report by C’T Magazine claims that eight new security flaws found in modern processors will be disclosed by Intel in the near future. Intel hasn’t directly addressed the vulnerabilities claimed in the report, but has confirmed the reservation of Common Vulnerabilities and Exposures (CVE) numbers, which is part of the investigation and mitigation of possible issues.
“Protecting our customers’ data and ensuring the security of our products are critical priorities for us,” Intel’s Leslie Culbertson said in a statement on Thursday, May 3. “We routinely work closely with customers, partners, other chipmakers and researchers to understand and mitigate any issues that are identified, and part of this process involves reserving blocks of CVE numbers. We believe strongly in the value of coordinated disclosure and will share additional details on any potential issues as we finalize mitigations. As a best practice, we continue to encourage everyone to keep their systems up to date.”
According to the report, Meltdown and Spectre weren’t the last of the flaws discovered in modern processor designs. Several research teams have reportedly already disclosed eight new security flaws to Intel, all of which stem from the same design problem. The details regarding these eight flaws are unknown, but they are currently dubbed as Spectre Next Generation.
Don’t let the Star Trek-like name fool you, each flaw will have its own CVE number just like Meltdown and Spectre. Thus, Intel will be required to provide eight different patches.
The Spectre Next Generation patches will supposedly be provided in two waves: The first in May and the second in August. Intel classifies four as “high risk,” so we should expect to see those mitigations this month, while the “medium” vulnerabilities may be fixed this summer.
The flaws are reportedly similar to the original Spectre exploits, save for one that poses a higher risk than Spectre Variant 1 and Variant 2. It could allow a hacker to launch malicious code in a virtual machine, which is a software emulation of a fully functional PC. They are typically used in corporate environments to reduce hardware costs, and run on high-powered data center servers.
Still, the exploit could allow the hacker to attack the host server through a virtual machine, giving the individual access to all the information stored in the server’s memory. That is a problem when servers are running multiple virtual machines simultaneously.
“Passwords and secret keys for secure data transmission are highly sought-after targets on cloud systems and are acutely endangered by this gap,” the report states. “Intel’s Software Guard Extensions (SGX), which are designed to protect sensitive data on cloud servers, are also not Spectre-safe.”
Intel isn’t the only CPU maker facing additional patches. The report says some ARM-based processors are also vulnerable to the Spectre Next Generation flaws, while researchers are currently investigating AMD’s processor family for similar vulnerabilities.