Spectre Next Generation vulnerabilities affect Intel processors

Intel is facing another wave of reported security issues that affect the company's processors. The vulnerabilities, called Spectre Next Generation or Spectre NG, have not been disclosed publicly yet.

A report on the German computer magazine site Heise suggests that eight new vulnerabilities were reported to Intel recently. Intel gave four of the eight vulnerabilities a severity rating of high and the remaining four a severity rating of medium according to Heise.

The exploitability of one of the vulnerabilities appears to be higher than that of previous issues as attackers may abuse the issue to break out of virtual machines to attack the host system or other machines, reports Heise.

Companies that provide cloud hosting or cloud services are primary targets for the vulnerability as attackers may exploit it to gain access to data transfers and data.

Intel released patches and updates for the majority of processors that it announced would receive updates to protect against the previously disclosed Spectre and Meltdown variants. Some updates are still missing, however, and it is likely that many computer systems are not yet protected against attacks.

One reason for that is that Microsoft has not distributed updates through Windows Updates yet. The company released standalone updates for Windows 10 but not for Windows 7 or Windows 8.1, or the recently released Windows 10 version 1803.

It appears that Windows 10 version 1809 (the next feature update for Windows 10) might include the updates.

Microsoft's track record of protecting customer devices against potential attacks is not the best. The company did release initial patches in January but retracted them after a short while. While it has released updates for some of its supported operating systems, updates for other versions are still nowhere to be seen.

Even worse, the Meltdown updates for Windows 7 and Windows Server 2008 R2 introduced a new vulnerability on patched systems that the researcher called Total Meltdown.

Heise's report suggests that Intel plans to release patches for Spectre Next Generation vulnerabilities in two batches. The first patches could be released as early as May 2018, the second patches in August 2018.

If Intel's current track record holds, it is likely that the patches will be released at different times for different processor families.

Good news is that attacks against user systems using Spectre or Meltdown exploits are not widespread and that this is probably not going to change anytime soon.

Update: An Intel spokesperson provide the following statement:

Protecting our customers’ data and ensuring the security of our products are critical priorities for us. We routinely work closely with customers, partners, other chipmakers and researchers to understand and mitigate any issues that are identified, and part of this process involves reserving blocks of CVE numbers. We believe strongly in the value of coordinated disclosure and will share additional details on any potential issues as we finalize mitigations. As a best practice, we continue to encourage everyone to keep their systems up-to-date.

Closing Words

Be prepared for another round of updates that patch Spectre issues and side-effects such as performance drops. It seems likely that the eight new vulnerabilities are not the last that we will see in the coming years.

Now You: How do you deal with Spectre and Meltdown?