Spectre NG – New security vulnerabilities in Intel processors

Spectre Next Generation

Research teams have currently discovered eight new security vulnerabilities in Intel CPUs. All eight are essentially due to the same design problem and are therefore called "Spectre Next Generation". The loopholes are currently still being kept 'secret' - exclusive information on this is available to c't.

High-risk for clouds

Intel classifies four of these eight vulnerabilities as high-risk - the others are labeled as 'medium'. According to c't, one of the next-generation vulnerabilities is particularly threatening: it can be exploited for attacks across the boundaries of virtual machines. This poses an enormous security risk, especially for cloud hosters, as passwords and secret keys for data transmission are at risk. In addition, Intel's Software Guard Extension for protecting sensitive data is not protected against Spectre.

CPU patches in progress

c't only has information from Intel and their patch plans so far. Each of the eight next-generation gaps requires its own patches, which Intel is already working on - in some cases together with operating system manufacturers. Intel is planning two patch waves: The first is to take place in May, the second is planned for August. It is recommended to install these Spectre Next Generation updates quickly.

Statement from Intel

"Protecting our customers' data and ensuring the security of our products is a top priority at Intel. We are constantly working closely with customers, partners, other chip manufacturers and security researchers to understand and solve problems. This process also includes reserving blocks of CVE numbers. We stand firmly behind the concept of coordinated disclosure [von Schwachstellen] and will share additional information on potential issues as we finalize safeguards. As a general rule, we recommend that everyone continuously updates their systems."

[UPDATE]: First patches postponed

As mentioned in the text above, the first patches for the Spectre-NG vulnerabilities were already planned for this May - Monday, May 7th to be exact. This has now passed and there are no patches: Intel asked for a delay.
Obviously Intel has problems to provide updates in time and has now postponed the release - for the time being for 2 weeks, the new date is May 21st. This is when new microcode updates are to be made available and Intel wants to announce information on two of the Spectre Next Generation vulnerabilities at the same time. According to heise - with exclusive information - this date is not yet fixed either: Intel is said to have already applied for a further deadline extension until July 10. [UPDATE /]

Source: heise; c't

Read the latest article on Intel's Spectre and Meltdown