Companies involved in the manufacture of CPU chips are facing a new wave of Spectre speculative execution vulnerabilities, which could be revealed during this week, a German technology company reported.
According to the group of information security experts, it has been confirmed that the eight defects affect the CPUs manufactured by Intel Corporation, and likewise could affect the ARM and AMD chips. The experts commented that Intel plans to release patches in two phases: the first in May and the second in August.
“Protecting our customers’ data and guaranteeing the safeties of our products are key priorities, we work in collaboration with clients, partners, other manufacturers and researchers to understand and mitigate any problem that is identified, and part of this process involve booking blocks. CVE numbers, “said Leslie Culbertson, EVP and general manager of product security at Intel, in a press release that addresses the new findings. “We believe in the value of coordinated disclosure and will share additional details about any possible problems as we complete mitigations, and we continue to encourage everyone to keep their systems up to date.”
These vulnerabilities, which have been referred to as Spectre Next Generation (Spectre-NG), are similar to the previous vulnerabilities; when they are not patched, they can be exploited to steal information through a side channel attack that uses a low privilege application to read the memory of another, more secure application.
Information security professionals commented that one of the errors seems to be significantly more dangerous than its predecessors; the attackers can exploit it to attack a virtual machine, and use it as a starting point to later attack its host system, or the virtual machines of other clients that operate on the same server. Cloud-based service providers, host systems and servers are especially threatened and Intel’s Software Guard Extensions (SGX) will not protect cloud systems from danger, experts said.
“Assuming they prove to be legitimate, the Spectre-NG vulnerability group can pose significantly higher risks for cloud operators and multi-tenant environments than the original Spectre variants,” said security architecture chief at Juniper Networks. , Craig Dods in an email “The information provided to the German technology site … seems to imply that some of the eight new vulnerabilities facilitate VM escape mechanisms, allows the hypervisor and / or other tenants of their own virtual machine to be compromised” .
In March and April, Intel announced measures to redesign and secure its chips, according to researchers, four of the errors have been classified as high risk, and the remaining four are considered medium risk.
Several teams of researchers participated in the report of new errors to Intel, including Google Project Zero, which follows a 90-day public disclosure policy for discovered vulnerabilities. Based on this line, Google could reveal details about one of the vulnerabilities on May 7. Project Zero, along with other groups of independent researchers and academics, revealed the previous set of vulnerabilities of Spectre and Meltdown in January of this year.
According to information security researchers, Microsoft is developing patches that will be distributed in the form of Windows updates, unlike microcode updates.
“It is almost inevitable that new variants of Spectre will emerge,” said Satya Gupta, CTO and co-founder of Virsec. “Now that the vulnerabilities of speculative execution have been publicized, many funded piracy groups are competing to find new ways to exploit them.” These are advanced attacks that exploit small but repeatable flaws that miss important security controls on millions of processors. The applications will be vulnerable and some compensation controls will be effective, the attackers will look for cracks in other defenses that allow the exploitation of Spectre, “added.
Working as a cyber security solutions architect, Alisa focuses on bug bounty and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.