More Spectre-style chip flaws discovered in Intel processors

Posted:
in General Discussion edited May 2018
More waves of patches to plug security holes in processors are on the way, after the discovery that Intel is working to patch more Spectre-style issues in its chips, with eight new vulnerabilities said to be found by security researchers following the Spectre and Meltdown fiasco from earlier this year.

spectre flaw logo


Multiple research teams found the eight new security flaws in Intel's CPUs, reports german publication c't. It is claimed the discoveries are all caused by the same design-related issue, with each equipped with their own listing in the Common Vulnerability Enumerator (CVE) directory, and requiring their own patches.

As is typical for vulnerabilities, the researchers disclosed the issues to Intel, giving the chip producer time to create a patch before a public disclosure can occur. Google Project Zero, the search company's own research team, is said to be quite strict about its 90-day disclosure deadline, meaning the first official disclosure of one of the flaws could happen as soon as May 7.

According to the report, Intel is planning two waves of patches to fix the problems, with the first set to start in May while a second is scheduled for sometime in August. It is also believed Microsoft is preparing its own patches, offered as optional Windows updates, while Linux kernel developers working on their own mitigation measures.

Considering all current Mac ranges use Intel processors, it is highly likely Apple isn't affected by the problems, has patches ready, or is in the process of creating the software countermeasures.

From what is known about the vulnerabilities, Intel has classified four as "high risk," while the others are labeled as a "medium" risk. For seven of the vulnerabilities, the report claims the risks and potential attacks are similar in construction to those of Spectre.

The eighth vulnerability is apparently an exception, potentially posing a greater threat than Spectre itself, as it could allow an attacker to launch an exploit in a virtual machine (VM) as a way to attack the host system. Largely affecting enterprise, as well as some individual users who operate VMs privately, the vulnerability could also be used to attack other VM instances on the same server, and due to Intel's Software Guard Extensions (SGX) not being "Spectre-safe," it could also intercept passwords and keys transmitted between VM instances.

Intel has issued a statement ahead of the potential disclosures, effectively confirming the vulnerabilities exist. The company says it routinely works with other parties to "understand and mitigate any issues that are identified," that it strongly believes in the "value of co-ordinated disclosure," and reminds users to keep their systems up to date.

Revealed in January, the Meltdown and Spectre chip flaws in Intel and ARM-based processors allowed the creation of a number of exploits in systems using the components. All Mac and iOS devices were found to be affected by the issue, but Apple advised at the time it had already released mitigations for current operating system versions, and was working to develop other fixes.

In the following months, Intel became the subject of a number of lawsuits over the design flaws, including their effect on Intel's share price, and accusations that CEO Brian Krzanich allegedly sold shares worth millions of dollars after Intel was informed of the vulnerabilities, but before they were publicly disclosed.

Intel was also criticised for failing to notify U.S. cybersecurity officials of the flaws until after the public became aware of their existence.
Alex1N

Comments

  • Reply 1 of 17
    ceek74ceek74 Posts: 324member
    Flaws for some, features for others.
    muthuk_vanalingamcornchipkudu
  • Reply 2 of 17
    tzm41tzm41 Posts: 83member
    ceek74 said:
    Flaws for some, features for others.
    Flaws for some, features for hackers. Haha
    muthuk_vanalingamjcs2305
  • Reply 3 of 17
    ericesqueericesque Posts: 10unconfirmed, member
    So if two vulnerability patches cause a 30% performance hit, what's the impact of 10?
    willcropointdysamoriajony0
  • Reply 4 of 17
    seanismorrisseanismorris Posts: 1,015member
    VM’s are getting more dangerous.  I wonder if business’s are going to take a step back from that approach...
  • Reply 5 of 17
    rezwitsrezwits Posts: 623member
    seems like a great time for ARM, the timing is just... (proaly been stated b4)
    brian green
  • Reply 6 of 17
    DAalsethDAalseth Posts: 682member
    Not thought too highly of the idea of Apple going to A series chips for the Macs. But now I'm not so sure. Yes they got hit by Spectre and Meltdown too, but at least Apple would control the whole widget. They wouldn't be relying on an outside company for the chips.
    bsimpsenolsjcs2305
  • Reply 7 of 17
    mknelsonmknelson Posts: 362member
    ericesque said:
    So if two vulnerability patches cause a 30% performance hit, what's the impact of 10?
    Possibly the same 30% (I thought it was more like 10%) - they may or may not stack depending on what the patches need to accomplish.
    seems like a great time for ARM, the timing is just... (proaly been stated b4)
    Revealed in January, the Meltdown and Spectre chip flaws in Intel and ARM-based processors

    So, maybe?
  • Reply 8 of 17
    chasmchasm Posts: 1,642member
    As speed tests have subsequently shown, Intel either wildly miscalculated the performance hit the patches might cause, or Apple is waaaaay more clever than other companies (or both), since any performance impact in the devices that have now been protected from Meltdown and Spectre have been non-existent to barely-noticeable, which would mean it was way less than 10 percent for power-users like this audience. What’s appalling here is that it has taken Intel five months to discover new problems, all while they keep “tocking.” Maybe it’s just a pile-on of coincidences, but Intel seems to have hit a wall in its progress, and that is being complicated by these long-dormant flaws in its chips. I hope they are (or will) take the opportunity to really clean house on this front, and likewise other chipmakers like ARM.
  • Reply 9 of 17
    wizard69wizard69 Posts: 12,860member
    rezwits said:
    seems like a great time for ARM, the timing is just... (proaly been stated b4)
    Or AMD.   Seriously AMD doesn't have some of these issues due to design.    That isn't to say AMD has no bugs just that right now it is a far better choice if these issues are a concern to anyone.   
    brian green
  • Reply 10 of 17
    wizard69wizard69 Posts: 12,860member
    chasm said:
    As speed tests have subsequently shown, Intel either wildly miscalculated the performance hit the patches might cause, or Apple is waaaaay more clever than other companies (or both), since any performance impact in the devices that have now been protected from Meltdown and Spectre have been non-existent to barely-noticeable, which would mean it was way less than 10 percent for power-users like this audience. What’s appalling here is that it has taken Intel five months to discover new problems, all while they keep “tocking.” Maybe it’s just a pile-on of coincidences, but Intel seems to have hit a wall in its progress, and that is being complicated by these long-dormant flaws in its chips. I hope they are (or will) take the opportunity to really clean house on this front, and likewise other chipmakers like ARM.
    The impact is highly variable but for single user systems like Apple sells the hit has been minor.    If you are running a server though there are serious performance and security concerns.   Phoronix has and likely will be running benchmarks detailing when and where the patches have an impact in the severs space.   Apple gets off with only very minor performance issues due to the way their systems are used.
    willcropointicoco3
  • Reply 11 of 17
    darkvaderdarkvader Posts: 329member
    rezwits said:
    seems like a great time for ARM, the timing is just... (proaly been stated b4)
    No, that's as bad an idea as it was the first time it was suggested.

    We DO NOT need another architecture transition.  And we definitely don't need it right now, Apple can't even handle bug fixes on their mail client, they're in the midst of what is turning into a VERY messy file system transition (you haven't seen the data loss incidents like those of us in IT have), and some of the bugs they introduced in 10.13 have been horrific, things like root access vulnerabilities and the SMB server connection crashes have been nightmares.  I'm typing this right now on a MBP running 10.13 with no Spotlight, no fix I've tried has worked to bring it back, and I'm probably going to end up having to change the drive, do a fresh install, and manually copy my data.  I'm NOT looking forward to it.

    Throw an architecture switch into the mix and you'll be lucky to get a Mac to boot half the time with the current software quality level.

    Oh, and then there's the lovely loss of binary compatibility with a few other popular operating systems out there, that's let me put quite a few Macs into the hands of users who would otherwise be stuck running Windoze all the time.
    brian greenirnchrizuraharadysamoriaAlex1N
  • Reply 12 of 17
    dysamoriadysamoria Posts: 2,257member
    "Considering all current Mac ranges use Intel processors, it is highly likely Apple isn't affected by the problems, has patches ready, or is in the process of creating the software countermeasures."

    I think you mean "Apple IS affected".
    Habi_tweet
  • Reply 13 of 17
    rezwits said:
    seems like a great time for ARM, the timing is just... (proaly been stated b4)
    I haven’t looked at these new bugs yet, but Spectre affects most ARM based CPUs (including Apple’s A series) along withl those from AMD and Intel. 

    Edited to add: A quote from the linked article: “So far we only have concrete information on Intel's processors and their plans for patches. However, there is initial evidence that at least some ARM CPUs are also vulnerable.“
    edited May 2018
  • Reply 14 of 17
    VM’s are getting more dangerous.  I wonder if business’s are going to take a step back from that approach...
    How are VM’s any more dangerous than running a full physical server???
  • Reply 15 of 17
    VM’s are getting more dangerous.  I wonder if business’s are going to take a step back from that approach...
    How are VM’s any more dangerous than running a full physical server???
    One of the Spectre variants permits processes to break out of hyporvisor boundaries and read memory belonging to processes in other VMs running on the same host. Most (all?) cloud providers run code from many clients each in their own VMs but running on shared host hardware. Bugs like Spectre (and Rowhammer) should have people questioning the security of such shared environments. 
  • Reply 16 of 17
    19831983 Posts: 1,184member
    Here we go again! Apple should really dump Intel as soon as they are able. First all these recurring delays with the release of new processors...going on for years now! And now with all these security vulnerabilities with the actual CPUs themselves going on (as far as we know that is!) for about a year now too.
  • Reply 17 of 17
    1983 said:
    Here we go again! Apple should really dump Intel as soon as they are able. First all these recurring delays with the release of new processors...going on for years now! And now with all these security vulnerabilities with the actual CPUs themselves going on (as far as we know that is!) for about a year now too.
    Whether or not Apple should dump Intel is a great topic of conversation and there are pros and cons to both sides, but Spectre (and very likely the bugs discussed in this story as well) affect many CPU architectures, including Intel, AMD, ARM, and Apple's A-series (based on ARM). 
Sign In or Register to comment.