There’s some worrying news on the security front today, with the revelation that eight fresh Spectre-class flaws have been discovered – and Intel has issued a statement on the matter.
These new bugs have been reported by German tech site Heise.de, and it has dubbed them Spectre-NG or ‘Next Generation’, claiming that Intel processors are vulnerable, and that AMD’s chips may also be affected.
Four of the flaws are labelled ‘high risk’ affairs, and all of them have been given their own CVE numbers (Common Vulnerabilities and Exposures reference number). Heise believes that one vulnerability in particular represents a major danger, as it can be exploited across the boundaries of virtual machines (enabling attacks on the host system via the VM).
As mentioned, Intel has reacted to this by posting an article which addresses ‘questions regarding additional security issues’.
Intel’s Leslie Culbertson, executive VP and general manager of Product Assurance and Security, writes: “Protecting our customers’ data and ensuring the security of our products are critical priorities for us. We routinely work closely with customers, partners, other chipmakers and researchers to understand and mitigate any issues that are identified, and part of this process involves reserving blocks of CVE numbers.
“We believe strongly in the value of coordinated disclosure and will share additional details on any potential issues as we finalize mitigations. As a best practice, we continue to encourage everyone to keep their systems up-to-date.”
In other words, Intel seems to be acknowledging the issue, and letting us know that a coordinated disclosure on the problems, and the relevant fixes, is imminent. Once again, it seems that details of the bugs have leaked ahead of the time Intel intended to reveal them, as happened with the original Spectre and Meltdown vulnerabilities back at the start of the year.
We’ll only know for sure when Intel confirms the existence of these bugbears, of course.
For now, though, it seems to be the case that more Spectre nastiness is about to cast a gloomy shadow on the computing world…