Ever since Spectre and Meltdown were unveiled, there’s been the risk that future attacks might surface as well. One of the things that sets the Spectre attacks apart from Meltdown is that Meltdown targeted a specific vulnerability. The Spectre variants (Variant 1 and Variant 2) described already are two examples of how Spectre can be used to exploit side effects of speculative execution. They aren’t the only ways the trick can be deployed. And now there’s rumors that an entirely new set of disclosures is on the way.
Earlier this week, Heise.de claimed to have seen evidence that eight Spectre-class attacks will be unveiled shortly, with details already unveiled to manufacturers. Heise is referring to these as Spectre-NG (for Next Generation), and claims that it has seen details on all eight, as well as double and triple-checking the outcomes and reports. Here’s how they summarize their findings:
So far we only have concrete information on Intel’s processors and their plans for patches. However, there is initial evidence that at least some ARM CPUs are also vulnerable. Further research is already underway on whether the closely related AMD processor architecture is also susceptible to the individual Spectre-NG gaps, and to what extent.
Intel is said to be prepping its own patches with two rounds of updates scheduled for May and August, with additional patch support from Microsoft, similar to the updates that’ve already rolled out for Spectre and Meltdown. And there’s some sign from Intel that a disclosure may be imminent. A new update from Intel, that went live today, is called “Addressing Questions Regarding Additional Security Issues.” It states:
Protecting our customers’ data and ensuring the security of our products are critical priorities for us. We routinely work closely with customers, partners, other chipmakers and researchers to understand and mitigate any issues that are identified, and part of this process involves reserving blocks of CVE numbers. We believe strongly in the value of coordinated disclosure and will share additional details on any potential issues as we finalize mitigations. As a best practice, we continue to encourage everyone to keep their systems up-to-date.
This sounds like similar to language to what we heard when the disclosures around Spectre and Meltdown were pending. But before people jump to conclusions, I’d argue that what we need is calm. Earlier this year, a company named CTS-Labs decided to take some genuine security issues they found within AMD products and chain them to disclosure practices and reports that actively attempted to hijack AMD’s stock price to make money for a particular investment firm. In the process, CTS-Labs demonstrated exactly how important it is that security disclosures remain focused on providing factually accurate understandings of security risks first and foremost, with discussion of underlying financial ramifications or even conclusions about the underlying products themselves handled separately.
As soon as news broke of what Spectre was, it was clear we’d be cleaning up this mess for a long time to come. So far, between Apple, ARM, Intel, and AMD, Intel has been the most directly exposed by Spectre and Meltdown, partly because of the nature of its CPU designs, partly because of its market position. We don’t know how, or if, the next round of disclosures will change these rankings. We don’t know how serious the flaws will collectively be.
Normally, I don’t put such an emphasis on pointing out what we don’t know, but the CTS debacle emphasized, at least to me, the need to treat these situations with care. Intel is obviously treading lightly on this topic, and it’s fair to be concerned about the situation — but we’d stick with “concern” for now, until more details come to light.
Intel’s Desktop TDPs No Longer Useful to Predict CPU Power Consumption
Intel's higher-end desktop CPU TDPs no longer communicate anything useful about the CPUs power consumption under load.
Review: The Oculus Quest 2 Could Be the Tipping Point for VR Mass Adoption
The Oculus Quest 2 is now available, and it's an improvement over the original in every way that matters. And yet, it's $100 less expensive than the last release. Having spent some time with the Quest 2, I believe we might look back on it as the headset that finally made VR accessible to mainstream consumers.
New Intel Rocket Lake Details: Backwards Compatible, Xe Graphics, Cypress Cove
Intel has released a bit more information about Rocket Lake and its 10nm CPU that's been back-ported to 14nm.
Intel’s Raja Koduri to Present at Samsung Foundry’s Upcoming Conference
Intel's Raja Koduri will speak at a Samsung foundry event this week — and that's not something that would happen if Intel didn't have something to say.