The Spectre and Meltdown CPU vulnerabilities hurt Intel’s reputation like no other controversy has ever done. And even though the company eventually rolled out updates to patch them and also promised native protection against the flaws in future, the damage was already done. And it now looks like the saga is far from over, as security researchers have discovered eight new variants of the Spectre vulnerability.
According to a report from Heise, eight new Spectre class vulnerabilities have been discovered which affect Intel CPUs, as well as a small number of ARM processors. The new vulnerabilities have been labeled ‘Spectre-Next Generation’ (Spectre NG) because all the newly discovered threats arise out of the same design flaw which gave birth to the original Spectre vulnerability.
The security experts who discovered the vulnerabilities have already shared the details with Intel, so that the chipmaker can develop updates to patch the security threats. Intel has classified four of the Spectre NG vulnerabilities as ‘high risk’, while the remaining four have been labeled as ‘medium risk’ threats. One of the Spectre-NG vulnerabilities is reportedly even more dangerous than the vulnerability it takes its name from, and can be exploited with relative ease to launch an attack on systems connected to cloud services provided by the likes of Amazon and Cloudflare.
Addressing the new security findings, Intel’s Executive VP & GM of Product Assurance and Security, Leslie Culbertson wrote,“We believe strongly in the value of coordinated disclosure and will share additional details on any potential issues as we finalize mitigations. As a best practice, we continue to encourage everyone to keep their systems up-to-date.” However, her statement did not reveal any details about the progress made by Intel and how the company plans to fix the security issue.
However, Heise’s report states that Intel is currently developing software updates to patch the Spectre NG vulnerabilities in collaboration with partner companies, and plans to release updates in May and August. Microsoft also aims to fix the vulnerabilities from its own side by releasing a security patch with Windows updates in the upcoming months. Cybersecurity experts point that the eight Spectre NG vulnerabilities have unique numbers registered in the Common Vulnerability Enumerator (CVE) directory, which means they all will require individual patches for threat mitigation.