Two new versions of Spectre vulnerability discovered

Google and Microsoft researchers report about two new Spectre vulnerabilities

It didn’t take long to find new security vulnerabilities since Spectre and Meltdown flaws were reported in January 2018.^[1] The major issues with vulnerable processors seems to be patched already. However, researchers from Google and Microsoft address about Spectre Variant 3a and Spectre Variant 4 – new variants of Spectre vulnerability.

Spectre Variant 3a is known as Rogue System Register Read (CVE-2018-3640) and allows attackers extracting sensitive information. The vulnerability allows a local attack and lets reading system parameters.

Meanwhile, the Spectre Variant 4 is identified as Speculative Store Bypass (SSB) (CVE-2018-3639) and allows reading older information stored on memory or CPU stack. Additionally, this side-channel vulnerability might:

“allow less privileged code to:

• Read arbitrary privileged data; and
• Run older commands speculatively, resulting in cache allocations that could be used to exfiltrate data by standard side-channel methods.”^[2]

Just like previous Spectre and Meltdown flaws, these vulnerabilities affect Advanced Micro Devices (AMD) and Advanced RISC Machine (ARM) and Intel processors too.

Hardware-related security flaws exist in Intel processors: patches are coming soon

Spectre and Meltdown vulnerabilities were discovered in Intel processors. However, the company told that they are expecting to find similar flaws again. During the past couple of months, they were working with Google and Microsoft, and finally, reported about new hardware-related security vulnerabilities in a bunch of Intel-based platforms.

Intel released the information which processors might include Spectre 3 and Spectre 4 vulnerabilities. Hence, users are advised to check product information on their website ^[3] and follow their recommendations:

Please check with your system vendor or equipment manufacturer for more information regarding updates for your system. For non-Intel based systems please contact your system manufacturer or microprocessor vendor. [Source: Intel]

Researchers tell that Spectre Variant 4 should be mitigated with earlier released Spectre and Meltdown patches. However, Intel is currently working with partners in order to release BIOS and software updates which should be released as soon as possible.^[4]

Intel is working on hardware protections against Spectre

When Spectre vulnerabilities were released, Intel stated that they are working on improving hardware protection. The company promises hardware design changes and adding an extra layer of security from partitioning.

In the press release issued on March, Intel CEO Brian Krzanich told that they want to offer not only best products but secure performance as well. According to the CEO, new and processors should be available in the second half of the year:

These changes will begin with our next-generation Intel® Xeon® Scalable processors (code-named Cascade Lake) as well as 8th Generation Intel® Core™ processors expected to ship in the second half of 2018.[Source: Intel]

There’s no doubt that old Intel device users’ won’t rush to the shops to buy new products as soon as they appear on the market. Current Intel processors users should follow security news and install firmware updates. According to the company, security patches are available for all their products released in the past five years.^[5]