Security pros: Get ready to patch for 8 new Spectre-related vulnerabilities soon

A German IT magazine reported that the vulnerabilities will be disclosed in the immediate future, but patches are coming in May and August.

Spectre-Meltdown: What business needs to know
Building a slide deck, pitch, or presentation? Here are the big takeaways:
  • Eight new Spectre-related vulnerabilities have been discovered that deal with how processors handle speculative processing.
  • Among the vulnerabilities is a "VM escape" vulnerability that is comparatively easier to exploit than the original Spectre and Meltdown.

Spectre and Meltdown--the duo of hardware-level CPU flaws that were disclosed in early January 2018--have kicked off a great deal of additional research into speculative execution-related flaws. This research has already uncovered additional points of weakness, as demonstrated in the related SgxPectre attack. However, a report by Jürgen Schmidt at Heise Media's Magazin für Computertechnik claims that eight new Spectre-related vulnerabilities are to be disclosed in the immediate future.

Schmidt refers to the vulnerabilities collectively as Spectre Next Generation--though posits that each of the vulnerabilities is of sufficient importance that they will be given individual names. In the report, Schmidt noted that the vulnerabilities are expected to affect at least Intel, and in some cases, ARM processors, though it is unclear to what extent AMD processors are affected.

The report indicates that the first wave of patches is expected in May, with a second wave of patches for August. This is deduced by Google's Project Zero team having discovered one of the issues. Project Zero, which rarely grants extensions to their policy of disclosure after 90 days, apparently will see a deadline run out on May 7th, which Schmidt noted is the day before the next Patch Tuesday at Microsoft.

SEE: Cybersecurity strategy research: Common tactics, issues with implementation, and effectiveness (Tech Pro Research)

Of the eight vulnerabilities, four are rated as "high risk," while the other four are rated as "medium" by Intel. Schmidt claims that one of the vulnerabilities is a "VM escape," which would potentially allow attackers operating in a virtual machine (VM) or container to break free from those confines and gain control of the underlying hardware. Relative to the original Spectre and Meltdown disclosures, this would be relatively trivial to exploit in the wild according to Schmidt, specifically naming cloud hosting providers "such as Amazon."

Given the difficulty that technology companies have faced in attempting to deliver patches for the original Meltdown and Spectre--it was discovered that the Windows patch can be completely bypassed by hackers, while the same patch caused a bigger security hole on Windows 7 and Server 2008 R2, and Intel's patch caused random reboots on certain systems--the new patch cycle is likely to cause a similar upheaval for businesses. While servers are at the most risk due to the nature of the problem, workstations should not be neglected during patching.

In a statement posted to their website, Intel Executive Vice President Leslie Culbertson stated:

Protecting our customers' data and ensuring the security of our products are critical priorities for us. We routinely work closely with customers, partners, other chipmakers and researchers to understand and mitigate any issues that are identified, and part of this process involves reserving blocks of CVE numbers. We believe strongly in the value of coordinated disclosure and will share additional details on any potential issues as we finalize mitigations. As a best practice, we continue to encourage everyone to keep their systems up-to-date.

Also see