Last week, the German computer magazine Heise.de revealed that Intel’s chips are vulnerable to eight more Spectre flaws, which were called “Spectre Next-Generation” or Spectre NG. According to Heise, Intel had planned to release the patches yesterday, May 7, but Intel asked the researchers who uncovered the bugs for an extension.
Spectre NG Flaws
According to Heise, Intel had problems getting the patches ready in time, so it asked the researchers to not disclose the first wave of Spectre NG bugs to the public for another 14 days. This first wave will include patches for four “medium-risk” flaws, and a disclosure of another two “high-risk” bugs. Heise sources said that Intel has already requested another extension, until July 10.
The second wave of patches, which should fix the high-risk flaws, is scheduled to be released on August 14. These high-risk CPU flaws affect all of Intel’s chips, including the Xeon lineup. Some of the flaws are supposed to be even worse than the original Spectre bugs, as they could allow attackers to bypass not just virtual machines, but virtual machines inside other virtual machines, and then exploit the host machine. The flaws even bypass the security guaranteed by Intel's Software Guard Extension (SGX), which the Signal messenger is using to protect the privacy of users' contacts.
According to Heise, these eight Spectre NG vulnerabilities impact not just the Core i and Xeon chips, but also the Atom-based smartphones and tablets, as well as the Atom-based Celeron and Pentiums found in budget laptops.
After the first Spectre flaws were revealed, Intel made a pledge to put “security first” from now on. Admittedly, these new Spectre NG flaws were revealed just a short time after the first ones became public, so Intel couldn’t have had time to make any serious changes to its architecture. However, the public may hold Intel to that promise in the future, which means the company may need to make more permanent hardware changes to its architecture.
As we can see with the new bugs, the software fixes are only temporary. That’s because Spectre is not just a common bug that can be fixed in software, but a hardware design flaw that determines how Intel’s CPUs work. Heise said that Intel and its partners plan to have microcode and OS patches ready in the coming weeks and months, but it remains to be seen if these have any lasting impact on protecting users.
Intel has yet to confirm the existence of the Spectre NG CPU flaws.