It's only been a short few months since the Spectre and Meltdown vulnerabilities (which we have covered extensively) were discovered, sending chipmakers and software companies scrambling to release fixes. Both manifested due to glaring flaws in CPU design, collectively impacting billions of CPUs, not just from Intel and AMD, but also those based on designs from ARM. The fallout from Spectre and Meltdown was ultimately quite devastating - most patches, at least the one for the second variant of Spectre, brought with them a significant performance hit, especially on older CPUs. Unfortunately, Intel CPUs accounted for over 60% (~1,800) out of the over 2,800 CPUs affected.
But it seems the worst isn’t over yet, as security boffins have discovered eight more vulnerabilities, affecting Intel CPUs, caused due to the same design problem that led to Spectre and Meltdown. For the time being, it isn’t clear if or to what extent CPUs from other manufacturers are affected. All eight vulnerabilities, will be uniquely identified on the Common Vulnerabilities and Exposures (CVE) database for cybersecurity vulnerabilities, and are expected to require discrete patches to fix. The good news is that several teams of security researchers have already reported them to Intel, so the compromising bits aren't quite in the public domain yet, giving the Intel some much needed time to work on a solution.
That being said, it appears that Google’s Project Zero may have discovered at least one of the eight vulnerabilities a while ago, and their stringent 90-day non-disclosure window may be very close to lapsing, perhaps as early as May 7, if sources are to be believed. After that, their policy is to publicly release information on the vulnerability, regardless of whether a fix is out. While this incentivizes manufacturers to release patches on time, the hard 90-day deadline could be a double-edged sword at times, given the potential impact to user security should a solution fail to arrive before public disclosure. In any case, Intel is expected to release microcode updates in two waves; one in May, and the other in August. Microsoft is also likely working on a fix, which should align with Intel’s timeline.
As for the vulnerabilities themselves, Intel has classified four as ‘high risk’ and the others as ‘medium risk’. At the moment, at least one vulnerability is being deemed riskier than the rest, primarily because it may allow malicious code to be executed at the VM-level, before ultimately leveling an attack at the host, or at other VMs on the same server. Hackers could also intercept sensitive data such as passwords and keys, given Intel’s Software Guard Extensions (SGX) aren't entirely immune to Spectre either.
In the interest of disclosure, and to avoid a potential PR debacle, Leslie Culbertson, Intel’s Executive Vice President and General Manager of Product Assurance has already released a statement, essentially confirming the vulnerabilities.
However, to put things in perspective, designing and engineering CPUs is a difficult task and takes a lot of time. To date, we're yet to see any new CPUs with actual hardware-level changes to the microarchitecture that resolve the first-generation Spectre and Meltdown vulnerabilities. In the meantime, pushing out microcode updates, and software patches is the only workaround.
37 Comments - Add comment