Intel Postpones Patching 'Spectre NG' CPU Flaws

Last week, the German computer magazine Heise.de revealed that Intel’s chips are vulnerable to eight more Spectre flaws, which were called “Spectre Next-Generation” or Spectre NG. According to Heise, Intel had planned to release the patches yesterday, May 7, but Intel asked the researchers who uncovered the bugs for an extension.

Spectre NG Flaws

According to Heise, Intel had problems getting the patches ready in time, so it asked the researchers to not disclose the first wave of Spectre NG bugs to the public for another 14 days. This first wave will include patches for four “medium-risk” flaws, and a disclosure of another two “high-risk” bugs. Heise sources said that Intel has already requested another extension, until July 10.

The second wave of patches, which should fix the high-risk flaws, is scheduled to be released on August 14. These high-risk CPU flaws affect all of Intel’s chips, including the Xeon lineup. Some of the flaws are supposed to be even worse than the original Spectre bugs, as they could allow attackers to bypass not just virtual machines, but virtual machines inside other virtual machines, and then exploit the host machine. The flaws even bypass the security guaranteed by Intel's Software Guard Extension (SGX), which the Signal messenger is using to protect the privacy of users' contacts.

According to Heise, these eight Spectre NG vulnerabilities impact not just the Core i and Xeon chips, but also the Atom-based smartphones and tablets, as well as the Atom-based Celeron and Pentiums found in budget laptops.

“Security First”

After the first Spectre flaws were revealed, Intel made a pledge to put “security first” from now on. Admittedly, these new Spectre NG flaws were revealed just a short time after the first ones became public, so Intel couldn’t have had time to make any serious changes to its architecture. However, the public may hold Intel to that promise in the future, which means the company may need to make more permanent hardware changes to its architecture.

As we can see with the new bugs, the software fixes are only temporary. That’s because Spectre is not just a common bug that can be fixed in software, but a hardware design flaw that determines how Intel’s CPUs work. Heise said that Intel and its partners plan to have microcode and OS patches ready in the coming weeks and months, but it remains to be seen if these have any lasting impact on protecting users.

Intel has yet to confirm the existence of the Spectre NG CPU flaws.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • iopssopi
    Intel made a pledge to put “security first” from now on

    Really intel ? Really? are you saying that you never put Security first when you sold XEONS to companies servers around the world ?

    1000 people should be fired over this statement including the CEO.

    Do you think you are talking with kids at school intel ?

    SUE the sh$t out of them , make them bleed , bankrupt them.


    Reply
  • beardrinksbeer
    it would be grouse if intel redesigns & releases cpu's for the last few iterations of motherboards, or more, as there are a hell of a lot motherboards out there we don't want end up in landfill
    Reply