Eight new Spectre variants affecting Intel chips discovered, four are "high risk"

[midian182]

Spectre and Meltdown may not be getting as many headlines as they were a few months ago, but that could soon all change following the discovery of eight Spectre-style security issues in Intel’s CPUs.

German website Heise reports that the vulnerabilities, called Spectre Next Generation, or Spectre NG, were recently reported to Intel. The chip maker gave four of them a severity rating of high, while the remaining four were rated as medium severity.

The technical details haven’t been revealed, but the vulnerabilities’ risks and attack scenarios are similar to the original Spectre. Cloud hosting and cloud services providers are most at risk from Spectre NG, as attackers could use the exploit to gain access to data transfers and compromise secure data.

Heise writes that some ARM CPUs are also vulnerable to Spectre NG, though it’s unclear if AMD’s processors are also at risk, and if so, to what extent.

Intel is said to be working on fixes for Spectre Next Generation, while other patches are being developed alongside operating system manufacturers such as Microsoft. The report suggests that these will be released in two batches. The first could arrive as soon as this month, with the second arriving sometime in August, though these dates could always change.

As with Spectre and Meltdown, one of the biggest concerns for everyday users with Spectre NG is how the fixes could affect system performance, and whether any result in the same problems as before: Intel's microcode caused random system restarts and the company recommended users stop installing it. Microsoft eventually had to release a software update for Windows 7, Windows 8.1, and Windows 10 to disable Intel's mitigation against Spectre variant 2.

Update: Intel provided this statement to TechSpot via email:

“Protecting our customers’ data and ensuring the security of our products are critical priorities for us. We routinely work closely with customers, partners, other chipmakers and researchers to understand and mitigate any issues that are identified, and part of this process involves reserving blocks of CVE numbers. We believe strongly in the value of coordinated disclosure and will share additional details on any potential issues as we finalize mitigations. As a best practice, we continue to encourage everyone to keep their systems up-to-date.”

Permalink to story.

https://www.techspot.com/news/74447-eight-new-spectre-variants-affecting-intel-chips-discovered.html

 

[Uncle Al]

It was bound to happen but the fact that Intel has stopped issuing patches for the older processors is more than enough for me to consider going back to AMD. I'm afraid this new age of little to no support after the sale may be a trend that won't stop ......

 

[MoeJoe]

Out of control ...

 

[MoeJoe]

It was bound to happen but the fact that Intel has stopped issuing patches for the older processors is more than enough for me to consider going back to AMD. I'm afraid this new age of little to no support after the sale may be a trend that won't stop ......

I'm already planning my next build. Ryzen2 !

MSI dropping the patch ball on my Broadwell-E machine was enough to make me stop and think.
Now there's this...

 

[HIC99]

All the meltdown and spectre variants are beginning to sound a lot like cancer, a "uncureable disease" for computers, and just as many types.

 

[Cycloid Torus]

Are mitigations now in place in Chrome browser and Chrome OS effective?

https://www.phoronix.com/scan.php?page=news_item&px=Chrome-64-Released

Sufficient? More coming?

 

[DelJo63]

That's a tad out dated:

Chrome 64 Ships With Spectre/Meltdown Mitigation, CSS Additions
Written by Michael Larabel in Google on 24 January 2018 at 04:48 PM EST. 3 Comments

Secondly, as the issue is the kernel speculative look-ahead execution of branch code, NO APPLICATION can defend against Spectre, sigh.

[edit] correction: it's in the chip itself, below the kernel level, sorry[/edit]

 

[TheBigT42]

I bet it is the NSA or some other goobernment agency forcing Intel create these back doors.

 

[DelJo63]

I bet it is the NSA or some other goobernment agency forcing Intel create these back doors.

Hmm; FUD imo. I'm not with the conspiracy crowd. Remember, computers are quiet young still and there's always surprises when you're still in the learning curve.

 

[TheDevopsGuy]

I bet it is the NSA or some other goobernment agency forcing Intel create these back doors.

Hmm; FUD imo. I'm not with the conspiracy crowd. Remember, computers are quiet young still and there's always surprises when you're still in the learning curve.

Computers are constantly evolving and updating it is not farfetched to expect new exploits to arise in time they'll eventually be patched and new exploits will be discovered soon after,it's just how the Computer world functions these days

 

[Capaill]

It's not possible to design a perfect computer or OS that is impervious to attack, yet still capable of running the millions of programs it is expected to. But it is possible to fix what we have as new exploits are discovered.
It would be foolish of us to criticise Intel for a poor design. We only get to criticise them when they know it's a poor design and do nothing to resolve it (as they did for years before the first Spectre variants were made public).

 

[Theinsanegamer]

I bet it is the NSA or some other goobernment agency forcing Intel create these back doors.

IMO this was more intel being WAY to aggressive with cache predictions, and that predictive behavior backfiring on them.

 

[TheDevopsGuy]

It's not possible to design a perfect computer or OS that is impervious to attack, yet still capable of running the millions of programs it is expected to. But it is possible to fix what we have as new exploits are discovered.
It would be foolish of us to criticise Intel for a poor design. We only get to criticise them when they know it's a poor design and do nothing to resolve it (as they did for years before the first Spectre variants were made public).

Especially if we consider that they won't even patch known Spectre bugs on old processor models.

 

[regiq]

I bet it is the NSA or some other goobernment agency forcing Intel create these back doors.

Hmm; FUD imo. I'm not with the conspiracy crowd. Remember, computers are quiet young still and there's always surprises when you're still in the learning curve.

Yep, in my opinion the spectre and meltdown flaws are no backdoors but the effect of Intel's design shortcuts to outclass the competition.
But when you look at what they did introducing IME (and later AMD it's similar tech) and connect that with Snowden's revelations... Hmm
https://libreboot.org/faq.html#intel

 

[Flebbert]

Honestly don't think which you buy they are all at risk.... give it a few months and I think AMD will be in the spotlight again.

 

[merikafyeah]

Honestly don't think which you buy they are all at risk.... give it a few months and I think AMD will be in the spotlight again.

Only this time they'll be given a whopping 48 hours to react instead of 24 smh.
Yes I'm never going to forget that fiasco "Intel" pulled off recently which turned out to be a complete farce created in an attempt to short AMD stock. It was so patently absurd I'm still awed no one even got a slap on the wrist for what's basically insider trading.

 

[Jimster480]

All the meltdown and spectre variants are beginning to sound a lot like cancer, a "uncureable disease" for computers, and just as many types.

Yes and they mostly just infect shittel CPU's.

 

[Jimster480]

Honestly don't think which you buy they are all at risk.... give it a few months and I think AMD will be in the spotlight again.

They won't, because Intel paid some random firm to make up fake exploits for AMD. Exploits based on chipsets installing rogue firmware from someone with physical access to the computers and classified them as CPU exploits when only one can possibly infect the CPU and none are remote-exploitable.

Its called pathetic desperation on the part of Intel who was lazy and complacent in anything other than bringing in cash in the last years.

 

[Jimster480]

I bet it is the NSA or some other goobernment agency forcing Intel create these back doors.

These aren't really backdoors, just poor designs.

 

[Abraka]

I bet it is the NSA or some other goobernment agency forcing Intel create these back doors.

While you're right that NSA and similar agencies force CPU, router and software producers to add backdoors (such as Intel Management Engine), in this case it's hard to say whether it's a design flaw or deliberate back orifice.

What's suspicious is that instructions that normally check for memory bounds don't check when executed speculatively. There's no good reason why not to obey RAM bound-check while in speculative mode. So... this could be deliberate. But it could also be just an oversight. Hard to tell.

But easy to fix. Just add bound-checking in the next generation of chips and Spectre drops dead. It's really unclear why didn't they switched on bound-checking in the first place. Is Intel really hiring that poor engineers?

 

[Dimitrios]

Don''t worry folks, INTEL will just keep hiring more AMD workers like they did the last 2-3 months and they will pull some sort of dirty illegal monopoly tactic like they did back in the 90's & early 2000's.

 

[DavidGurney]

Why would anyone buy a computer until CPUs are redesigned to eliminate this vulnerability?

I guess only because they have to have one now.

The other question is whether revised CPUs will be pin-compatible with current ones. Intel's pretty stupid not to make some announcement about this, because plenty of people will simply not buy computers until there's a hardware solution.

Of course, that doesn't help Apple owners; Apple's ever-degrading construction means everything's soldered in and glued together. This fiasco is a great example of why that is a stupid approach for customers.

 

[tipstir]

Intel and AMD CPU all based on the same sort of scheme so why wouldn't both be effected. Of course they would be if some rouge code was still present. You pay for what you get. These two companies only can develop and run bugs to check rouge CPU code. Thus if they do catch it then you see more Intel Celoron or code name No-Release Chip but yet they sell them anyway. AMD how Sempron too. All about money not protecting the public. The approach has always been the same way "oh well if we didn't catch it the first time let the public deal with the issue"

 

[DelJo63]

IMO, this is a great example of what occurs when there are too few choices (aka monopolies). If the consumer desires to walk out with his pocket book, just what other choices are there for a processor??? Without another choice, the vendor has ZERO necessity to do anything whatsoever :sigh:

 

[Hasbean]

IMO, this is a great example of what occurs when there are too few choices (aka monopolies). If the consumer desires to walk out with his pocket book, just what other choices are there for a processor??? Without another choice, the vendor has ZERO necessity to do anything whatsoever :sigh:

IMO, consumers don't give a hoot. The overwhelmingly vast majority of CPU sales are to OEM PC makers. Consumers are only presented with a choice of how much and how shiny and are easily led to purchases based mainly on inexperienced sales staff incentivised by the best outcome for themselves.