A set of 8 new Spectre-class vulnerabilities have been found in the Intel CPUs that could affect few ARM processors and AMD processor architecture also.
Discovered by a team of security researchers, this vulnerability was named as Spectre-Next Generation, or Spectre-NG. Limited details of this flaw were initially leaked to the journalists at German computer magazine Heise, which claims that the four of the vulnerabilities were considered as high risk and four as medium risk ones.
These new flaws had originated from the same design issue that caused the original Spectre flaw, but there are reports saying that one of the newly discovered flaws allows the attackers to easily attack the host systems using a virtual machine which makes it more frightening than the original Spectre vulnerability.
It could also attack the virtual machines of other customers that runs on the same server. It is reported that the passwords and secret keys used for secure data transmission are highly targeted on cloud systems and are at risk due to this issue. But this Spectre-NG vulnerability can be exploited for attacks across system boundaries, taking this threat to a new level. Cloud service providers such as Amazon and their customers will be largely affected.
Spectre vulnerability that was reported this year beginning depends upon a side-channel attack on a processors’ speculative execution engine, thereby allowing a malicious program to read sensitive information, like passwords, encryption keys, or sensitive information, including that of the kernel.
The German site however did not reveal the name of the security researchers who have reported these flaws. They say that the flaws were reported to the Intel almost 88 days ago. It is a good practice to disclose the vulnerabilities to the vendors but the researchers do not want their details to be declared early.
Response of Intel to the Spectre-NG Vulnerability
Intel has responded to the news in a statement, which neither confirms nor denies the reality of the Spectre-NG vulnerabilities:
They stated that to protect their customers’ data and ensure their products security are their main priorities. They timely work closely with customers, partners, other chip makers and researchers to understand and diminish any issues that are identified which involves a process of reserving blocks of CVE numbers. They also reported that they strongly believe in the value of coordinated disclosure and would be willing to share any details on any potential issues once they have been reduced. They encourage their customers to keep their systems up-to-date.
The new Spectre-NG vulnerabilities has affected Intel CPUs, and also some of the ARM processors are vulnerable to the issues, however the impact on AMD processors has yet to be confirmed.
As per the German site, Intel has already acknowledged the new Spectre-NG vulnerabilities and are planning to release security patches in who shifts—one in May and another for August.
However, it is not sure whether applying new patches would impact the performance of vulnerable devices.