Spectre and Meltdown may not be getting as many headlines as they were a few months ago, but that could soon all change following the discovery of eight Spectre-style security issues in Intel’s CPUs.
German website Heise reports that the vulnerabilities, called Spectre Next Generation, or Spectre NG, were recently reported to Intel. The chip maker gave four of them a severity rating of high, while the remaining four were rated as medium severity.
The technical details haven’t been revealed, but the vulnerabilities’ risks and attack scenarios are similar to the original Spectre. Cloud hosting and cloud services providers are most at risk from Spectre NG, as attackers could use the exploit to gain access to data transfers and compromise secure data.
Heise writes that some ARM CPUs are also vulnerable to Spectre NG, though it’s unclear if AMD’s processors are also at risk, and if so, to what extent.
Intel is said to be working on fixes for Spectre Next Generation, while other patches are being developed alongside operating system manufacturers such as Microsoft. The report suggests that these will be released in two batches. The first could arrive as soon as this month, with the second arriving sometime in August, though these dates could always change.
As with Spectre and Meltdown, one of the biggest concerns for everyday users with Spectre NG is how the fixes could affect system performance, and whether any result in the same problems as before: Intel's microcode caused random system restarts and the company recommended users stop installing it. Microsoft eventually had to release a software update for Windows 7, Windows 8.1, and Windows 10 to disable Intel's mitigation against Spectre variant 2.
Update: Intel provided this statement to TechSpot via email:
“Protecting our customers’ data and ensuring the security of our products are critical priorities for us. We routinely work closely with customers, partners, other chipmakers and researchers to understand and mitigate any issues that are identified, and part of this process involves reserving blocks of CVE numbers. We believe strongly in the value of coordinated disclosure and will share additional details on any potential issues as we finalize mitigations. As a best practice, we continue to encourage everyone to keep their systems up-to-date.”