Spectre and Meltdown—the duo of hardware-level CPU flaws that were disclosed in early January 2018—have kicked off a great deal of additional research into speculative execution-related flaws. This research has already uncovered additional points of weakness, as demonstrated in the related SgxPectre attack. However, a report by Jürgen Schmidt at Heise Media’s Magazin für Computertechnik claims that eight new Spectre-related vulnerabilities are to be disclosed in the immediate future.
Schmidt refers to the vulnerabilities collectively as Spectre Next Generation—though posits that each of the vulnerabilities is of sufficient importance that they will be given individual names. In the report, Schmidt noted that the vulnerabilities are expected to affect at least Intel, and in some cases, ARM processors, though it is unclear to what extent AMD processors are affected.
The report indicates that the first wave of patches is expected in May, with a second wave of patches for August. This is deduced by Google’s Project Zero team having discovered one of the issues. Project Zero, which rarely grants extensions to their policy of disclosure after 90 days, apparently will see a deadline run out on May 7th, which Schmidt noted is the day before the next Patch Tuesday at Microsoft.
Of the eight vulnerabilities, four are rated as “high risk,” while the other four are rated as “medium” by Intel. Schmidt claims that one of the vulnerabilities is a “VM escape,” which would potentially allow attackers operating in a virtual machine (VM) or container to break free from those confines and gain control of the underlying hardware. Relative to the original Spectre and Meltdown disclosures, this would be relatively trivial to exploit in the wild according to Schmidt, specifically naming cloud hosting providers “such as Amazon.”
Given the difficulty that technology companies have faced in attempting to deliver patches for the original Meltdown and Spectre—it was discovered that the Windows patch can be completely bypassed by hackers, while the same patch caused a bigger security hole on Windows 7 and Server 2008 R2, and Intel’s patch caused random reboots on certain systems—the new patch cycle is likely to cause a similar upheaval for businesses. While servers are at the most risk due to the nature of the problem, workstations should not be neglected during patching.