Reports have surfaced about eight Spectre-class CPU flaws that could leave users vulnerable. German site heise.de says it has personally verified a number of security flaws in Intel processors, and has initial evidence for vulnerabilities in ARM ones.
The news comes just days after researchers revealed a ‘fatal flaw’ in Microsoft’s Meltdown patch. Despite assurances from Intel, it’s clear that patches haven’t been enough to keep users safe.
According to Heise, one of the flaws was discovered by Google’s Project Zero, and all eight have been assigned CVE identifiers. It believes Google will stick to its schedule and reveal its vulnerability on May 7, one day before Patch Tuesday.
Four of the Spectre-like flaws are apparently high risk, allowing attackers to gain access to usernames and passwords. They’re also easier to exploit than previous ones, meaning it’s more likely we’ll see them in the wild.
In response, Intel issued a very vague statement about ‘additional security issues’.
“Protecting our customers’ data and ensuring the security of our products are critical priorities for us,” said Leslie Culbertson, general manager of product assurance and security at Intel. “We routinely work closely with customers, partners, other chipmakers and researchers to understand and mitigate any issues that are identified, and part of this process involves reserving blocks of CVE numbers. We believe strongly in the value of coordinated disclosure and will share additional details on any potential issues as we finalize mitigations. As a best practice, we continue to encourage everyone to keep their systems up-to-date.”
Heise says Intel is currently working on patches, which will roll out in May and August. It makes sense that the company will keep details to itself until the fixes begin to roll out. We expect Microsoft to follow suit once more information becomes available.