Spectre Next Generation
According to current information researcher groups have found eight new security holes in Intel CPUs. Each of them are essentially caused by the same design problem and that’s why they are called “Spectre Next Generation”. At the moment the flaws are being kept secret but c’t has some exclusive information.
High risk for clouds
Four of the eight vulnerabilities are classified as “high risk” by Intel itself – the remaining are rated as “medium”. According to c’t one of the Spectre Next Generation flaws simplifies attacks across system boundaries to such an extent that they estimate the threat potential to be significantly higher than with Spectre. Especially for cloud hoster this is a high risk regarding the security because passwords and keys for data transfer are at risk. In addition to this Intel’s Software Guard Extension that protects sensitive data is not protected against Spectre.
CPU patches in progress
c’t has exclusive information from Intel and their plans for the patches. Each of the eight Next Generation flaws needs its own patches on which Intel is already working – on some together with operating system manufacturers. Intel plans two patch surges: One of them in May and the second one in August. It is highly recommended to make these updates asap.
"Protecting our customers’ data and ensuring the security of our products are critical priorities for us. We routinely work closely with customers, partners, other chipmakers and researchers to understand and mitigate any issues that are identified, and part of this process involves reserving blocks of CVE numbers. We believe strongly in the value of coordinated disclosure and will share additional details on any potential issues as we finalize mitigations. As a best practice, we continue to encourage everyone to keep their systems up-to-date."
[UPDATE]: First patches delayed by Intel
As we mentioned already in the text above, the first patches for the Spectre Next Generation flaws were planned to be released this May – more precisely on 7 May. This day is over and there are still no patches because Intel asked for more time.
It’s obvious that Intel has problems with providing the updates in time and now they moved the release date to the 21 May. By then there are supposed to be microcode updates and they even want to publish some information about two of the Spectre NG flaws. According to heise – who have exclusive information – this date is far away from being a fixed appointment: Intel allegedly applied for another extension of time until the 10 July. [UPDATE/]