Spectre NG – New security holes in Intel CPUs

Since the beginning of 2018 the security holes Spectre and Meltdown, that were found in Intel CPUs are on everyone’s lips. Just now that there are some helpful updates, researchers found new – even more – security holes in these processors.

Spectre Next Generation

According to current information researcher groups have found eight new security holes in Intel CPUs. Each of them are essentially caused by the same design problem and that’s why they are called “Spectre Next Generation”. At the moment the flaws are being kept secret but c’t has some exclusive information.

High risk for clouds

Four of the eight vulnerabilities are classified as “high risk” by Intel itself – the remaining are rated as “medium”. According to c’t one of the Spectre Next Generation flaws simplifies attacks across system boundaries to such an extent that they estimate the threat potential to be significantly higher than with Spectre. Especially for cloud hoster this is a high risk regarding the security because passwords and keys for data transfer are at risk. In addition to this Intel’s Software Guard Extension that protects sensitive data is not protected against Spectre.

CPU patches in progress

c’t has exclusive information from Intel and their plans for the patches. Each of the eight Next Generation flaws needs its own patches on which Intel is already working – on some together with operating system manufacturers. Intel plans two patch surges: One of them in May and the second one in August. It is highly recommended to make these updates asap.

Intel’s statement

"Protecting our customers’ data and ensuring the security of our products are critical priorities for us. We routinely work closely with customers, partners, other chipmakers and researchers to understand and mitigate any issues that are identified, and part of this process involves reserving blocks of CVE numbers. We believe strongly in the value of coordinated disclosure and will share additional details on any potential issues as we finalize mitigations. As a best practice, we continue to encourage everyone to keep their systems up-to-date."

[UPDATE]: First patches delayed by Intel

As we mentioned already in the text above, the first patches for the Spectre Next Generation flaws were planned to be released this May – more precisely on 7 May. This day is over and there are still no patches because Intel asked for more time.
It’s obvious that Intel has problems with providing the updates in time and now they moved the release date to the 21 May. By then there are supposed to be microcode updates and they even want to publish some information about two of the Spectre NG flaws. According to heise – who have exclusive information – this date is far away from being a fixed appointment: Intel allegedly applied for another extension of time until the 10 July. [UPDATE/]

Source: heise ; c’t

##Read our last blog post about Intel’s Spectre and Meltdown

More on this topic

7 Feb 2018 Array ( [id] => 316 [title] => Spectre and Meltdown – News about the recent CPU problems [authorId] => [active] => 1 [shortDescription] => As we mentioned in our last ‘What’s New’ article the security breaches Spectre and Meltdown are often discussed in recent days and weeks. What happened, what it’s all about and how the spo-comm Mini-PCs are affected you can find here. [description] =>

The history of Spectre and Meltdown

Since the beginning of the year urgent news causes trouble in the IT world: the CPU problems Spectre and Meltdown. The CPUs that are affected mostly come from Intel, but also AMD and smartphone chips by Apple and Samsung. Intel was already informed about these security breaches in June 2017 but only made it public at the beginning of January 2018.

Processor bug: What is happening?

Skillfully attackers, exploiting these vulnerabilities, are able to extract data that the computer processes in its memory – including passwords. Modern CPUs count on the so called out-of-order feature. In this process commands are executed speculative and probable not used data is loaded into the cache. Due to bad speculation it is possible that these commands are not executed in the program flow. Exactly those speculations enable the attack scenarios that were discovered.

Which CPUs are affected?

Mostly Intel suffers from these security breaches. They concern for example processors from the Core generation since 2008 but also the series Intel Atom C, E, A, x3 and Z as well as the Celeron and Pentium series J and N.

You can find the official Intel website about this topic and the list of all affected Intel CPUs here.

Also Google takes informs that processors from AMD and ARM are affected. They say Android systems are concerned but they are protected with the last security update from January 2nd. Apple has already fixed some of the bugs and plans to come up with new fixes with the update 10.3.3.

Here you can find the official website from AMD.

Which measures are there against Spectre and Meltdown?

The security breaches can be fixed by using complex security patches for all operating systems. Chaos is dominating the situation right now: BIOS updates with CPU microcode updates are provided by only a few producers. Microsoft already pull back its Windows patch for older systems. Apple gives blurry explanations regarding what happens to Macs produced before 2010, on which macOS High Sierra isn’t running.

According to some sources – which were not confirmed by Intel, AMD or other producers – the security updates slow down the older (produced before 2013) and weaker processors more than modern ones. For desktop PCs, notebooks and tablets with newer CPUs and Windows 10 the performance decrease is minimal. However in case of Windows 7 PCs with older CPUs Microsoft expects significant performance losses. The most concise impacts are found in systems with Intel processors and fast SSDs (especially PCIe SSDs with NVM protocol) when not just Windows updates but also the microcode update is made.

You can find the official Microsoft website here.

Microsoft Security TechCenter

Fake BSI mails about the security updates

Caution with fake e-mails about would-be updates concerning Spectre and Meltdown. Written in the name of the BSI (The German Federal Office for Information Security) the writer warns you that your terminal device is vulnerable and wants you to make those updates. You can find an example of such an e-mail under the following link.

Affected spo-comm Mini-PCs

Together with our partners we are constantly searching for solutions and are testing them. We are planning to provide fitting updates as soon as we get reliable information from Intel or Microsoft.

These spo-books are according to the current status not affected:

•    spo-book WINDBOX II
•    spo-book WINDBOX II Plus
•    spo-book BRICK MSE45
•    spo-book BRICK NM10
•    spo-book TURO GM45
•    spo-book NOVA GM45
•    spo-book BOX NM10
•    spo-book FLUKE NM10
•    spo-book iDESK
•    spo-book MOVE NM10
•    spo-book RUGGED NM10
•    spo-book MOVE T56N
•    spo-book RUGGED T56N
•    spo-book ION 2
•    spo-book ION 3
•    spo-book POS NM10
•    spo-book POS NM10 slim
•    spo-book SQUARE 15
•    spo-book TECH 92F
•    spo-book UNO NM10
•    spo-book WINDBOX III

Regarding the Spectre and Meltdown problems spo-comm advises:

•    Constantly keep an eye on the updates from Intel, AMD and Microsoft
•    First test the updates on a test PC in the deployment scenario before installing them on live PCs
•    Test the security patches on older devices and check the performance because it can come to performance losses
•    Be careful with BSI e-mails as they can be faked


##Read our last What's New article

[views] => 12 [displayDate] => DateTime Object ( [date] => 2018-02-07 13:00:00.000000 [timezone_type] => 3 [timezone] => Europe/Berlin ) [categoryId] => 234 [template] => [metaKeyWords] => [metaDescription] => [metaTitle] => [tags] => Array ( ) [author] => [assignedArticles] => Array ( ) [media] => Array ( [0] => Array ( [id] => 5067 [blogId] => 316 [mediaId] => 60884 [preview] => 1 [media] => Array ( [id] => 60884 [albumId] => 24 [name] => Spectre_und_Meltdown_02 [description] => [path] => media/image/Spectre_und_Meltdown_02.png [type] => IMAGE [extension] => jpg [userId] => 56 [created] => DateTime Object ( [date] => 2019-12-04 00:00:00.000000 [timezone_type] => 3 [timezone] => Europe/Berlin ) [fileSize] => 125830 [width] => 1500 [height] => 1000 ) ) ) [attribute] => Array ( [id] => 313 [blogId] => 316 [attribute1] => NULL [attribute2] => [attribute3] => [attribute4] => [attribute5] => [attribute6] => [digi1Inactivateblogarticle] => 0 [digi1Sponsoredpost] => 0 [digi1Featuredpost] => 0 [digi1Hideblogdetailsite] => 0 [digi1Showleftsidebarblogdetailsite] => 0 [digi1Disablecommentfunction] => 0 [digi1Hideimageslider] => 0 [digi1Relatedblogarticle1] => 314 [digi1Relatedblogarticle2] => 320 [digi1Relatedblogarticle3] => 322 [digi1Relatedblogarticle4] => [digi1Relatedblogarticle5] => [isReference] => 0 [relatedItem] => ) [comments] => Array ( ) ) 1
know-how

Spectre and Meltdown – News about the recent CPU problems

As we mentioned in our last ‘What’s New’ article the security breaches Spectre and Meltdown are often discussed in recent days and weeks. What happened, what it’s all about and how the spo-comm Mini-PCs are affected you can find here.
29 Mar 2018 Array ( [id] => 322 [title] => Update to Intel’s Spectre and Meltdown [authorId] => [active] => 1 [shortDescription] => After the occurrence of Spectre and Meltdown at the beginning of this year it got fairly quiet about these processor security holes. Intel’s CEO, Brian Krzanich published a post regarding the security problems Spectre and Meltdown and explains that Intel is going to continue mitigating their effects and what was already done against those exploits. [description] =>
  1. Intel points out that by now there are Microcode updates for every processor that was released in the past five years.
  2. The close cooperation with providers of antivirus programs to ensure a compatibility was also mentioned.

They announced that the hardware design of their newest processors has been changed to protect them against Spectre Variant 2 and Meltdown. There is still no solution for the Variant 1 of Spectre. According to Intel these improvements create barriers through extra security walls – on one hand between running applications and on the other hand between processors with different access rights.

The first processors that will have this hardware shield – Intel talks about, inter alia, the eighth Core-I generation – will be published in the second half of 2018, said Krzanich. It’s still not sure which processor series is actually meant with this, because the “Ice Lake” processors were initially planned as the ninth generation. Perhaps there will be sort of an “in-between” generation which is called “Whiskey Lake”.

##See our first article about Spectre and Meltdown

[views] => 11 [displayDate] => DateTime Object ( [date] => 2018-03-29 12:45:00.000000 [timezone_type] => 3 [timezone] => Europe/Berlin ) [categoryId] => 234 [template] => [metaKeyWords] => [metaDescription] => [metaTitle] => [tags] => Array ( ) [author] => [assignedArticles] => Array ( ) [media] => Array ( [0] => Array ( [id] => 5079 [blogId] => 322 [mediaId] => 60884 [preview] => 1 [media] => Array ( [id] => 60884 [albumId] => 24 [name] => Spectre_und_Meltdown_02 [description] => [path] => media/image/Spectre_und_Meltdown_02.png [type] => IMAGE [extension] => jpg [userId] => 56 [created] => DateTime Object ( [date] => 2019-12-04 00:00:00.000000 [timezone_type] => 3 [timezone] => Europe/Berlin ) [fileSize] => 125830 [width] => 1500 [height] => 1000 ) ) ) [attribute] => Array ( [id] => 319 [blogId] => 322 [attribute1] => NULL [attribute2] => [attribute3] => [attribute4] => [attribute5] => [attribute6] => [digi1Inactivateblogarticle] => 0 [digi1Sponsoredpost] => 0 [digi1Featuredpost] => 0 [digi1Hideblogdetailsite] => 0 [digi1Showleftsidebarblogdetailsite] => 0 [digi1Disablecommentfunction] => 0 [digi1Hideimageslider] => 0 [digi1Relatedblogarticle1] => 314 [digi1Relatedblogarticle2] => 316 [digi1Relatedblogarticle3] => 326 [digi1Relatedblogarticle4] => [digi1Relatedblogarticle5] => [isReference] => 0 [relatedItem] => ) [comments] => Array ( ) ) 1
know-how

Update to Intel’s Spectre and Meltdown

After the occurrence of Spectre and Meltdown at the beginning of this year it got fairly quiet about these processor security holes. Intel’s CEO, Brian Krzanich published a post regarding the security problems Spectre and Meltdown and explains that Intel is going to continue mitigating their effects and what was already done against those exploits.
27 Apr 2018 Array ( [id] => 326 [title] => Update to Intel’s Spectre and Meltdown – Part 2 [authorId] => [active] => 1 [shortDescription] => Owners of older PCs with Windows 10 are waiting desperately for BIOS updates. The affected CPUs need these updates to protect Windows 10 against Spectre (variant 2) – but Microsoft doesn’t provide them. As an alternative there is now an optional Windows update. [description] =>

Windows update KB4090007 for Windows 10

Hoping for BIOS updates for Intel processors from the years 2013 and 2014 has come to an end. With its latest version from the 24 April 2018  the optional Windows update KB4090007 provides not only microcode updates for Coffee Lake (Core i-8000), Kaby Lake (i-7000) and Skylake (i-6000) but also for Broadwell (i-5000) und Haswell (i-4000). The update is available for 32- and for 64-Bit versions of Windows 10 – still it can only be downloaded via the Windows Update Catalog  over an unsecured http connection. Windows 10 PCs with Intel Atom processors still need BIOS updates.

KB4090007 also has a solution for another problem: In December 2017 Microsoft has provided BIOS updates with Microcode updates for some devices but the PowerShell-Script Get-SpeculationControl still reports no BTI protection.

Meltdown patches for Windows 7

Microsoft doesn’t provide Microcode updates for Windows 7 via Windows update because in this case BIOS updates are necessary. At the end of March some major problems occurred concerning the Meltdown patches for the 64-bit versions. These problems are known as the “Total Meltdown”. Those who followed installing these patches from the beginning on, are protected against Total Meltdown.

To make sure whether you’re protected a PoC (Proof of Concept)  was published.

Source: heise

 

##Read the first part of our Spectre and Meltdown series

##Read the last update on spectre and Meltdown

[views] => 10 [displayDate] => DateTime Object ( [date] => 2018-04-27 12:45:00.000000 [timezone_type] => 3 [timezone] => Europe/Berlin ) [categoryId] => 234 [template] => [metaKeyWords] => [metaDescription] => [metaTitle] => [tags] => Array ( ) [author] => [assignedArticles] => Array ( ) [media] => Array ( [0] => Array ( [id] => 5081 [blogId] => 326 [mediaId] => 60884 [preview] => 1 [media] => Array ( [id] => 60884 [albumId] => 24 [name] => Spectre_und_Meltdown_02 [description] => [path] => media/image/Spectre_und_Meltdown_02.png [type] => IMAGE [extension] => jpg [userId] => 56 [created] => DateTime Object ( [date] => 2019-12-04 00:00:00.000000 [timezone_type] => 3 [timezone] => Europe/Berlin ) [fileSize] => 125830 [width] => 1500 [height] => 1000 ) ) ) [attribute] => Array ( [id] => 323 [blogId] => 326 [attribute1] => NULL [attribute2] => [attribute3] => [attribute4] => [attribute5] => [attribute6] => [digi1Inactivateblogarticle] => 0 [digi1Sponsoredpost] => 0 [digi1Featuredpost] => 0 [digi1Hideblogdetailsite] => 0 [digi1Showleftsidebarblogdetailsite] => 0 [digi1Disablecommentfunction] => 0 [digi1Hideimageslider] => 0 [digi1Relatedblogarticle1] => 314 [digi1Relatedblogarticle2] => 316 [digi1Relatedblogarticle3] => 322 [digi1Relatedblogarticle4] => [digi1Relatedblogarticle5] => [isReference] => 0 [relatedItem] => ) [comments] => Array ( ) ) 1
know-how

Update to Intel’s Spectre and Meltdown – Part 2

Owners of older PCs with Windows 10 are waiting desperately for BIOS updates. The affected CPUs need these updates to protect Windows 10 against Spectre (variant 2) – but Microsoft doesn’t provide them. As an alternative there is now an optional Windows update.