Earlier this month, security researchers claimed the discovery of 8 new Spectre flaws on top of the original CPU vulnerabilities, dubbing the security risks as “Spectre-NG,” shorthand for Spectre Next Generation. Intel was reportedly set to quell these new issues with an update on May 7th, which seems to have been delayed in favour of a launch later this month.
German publication Heise was first on the scene, claiming to have received full technical details on the new flaws, dubbing half of the vulnerabilities as “high risk” while the remaining four were simply “medium.” While still requiring immediate access to the system or its connected network, attackers can utilise the Spectre-NG flaw to bypass virtual machine isolation in cloud hosting, breaching Intel’s Software Guard security extension.
Intel has addressed the issue, emphasising the importance of “protecting our customers’ data,” however the first wave of patches due on May 21st will mitigate the four “medium” security issues, while the “high risk” vulnerabilities won’t be addressed until August 14th.
Like Intel, ARM processors are similarly affected by Spectre NG, however it hasn’t been confirmed whether AMD’s CPUs are at risk from the newfound issues. In the meantime, AMD is investigating the new data, aiming to be as transparent about the process as possible.
“Security and protecting users' data is of the utmost importance to AMD and we are aware of it speculative execution exploits,” reads AMD’s statement.
It’s worth remembering that any and all mitigating patches are just plasters and band aids, a temporary solution to a much larger issue. The real solutions will come at the hardware level, when Intel finally releases its Spectre and Meltdown-proof processors.
KitGuru Says: While I cannot comment on the difficulty of developing such patches and it’s entirely possible that Intel is trying to avoid the same fiasco as its first mitigating update, the response time does seem increasingly slow for such prominent issues. That being said, the upcoming hardware solutions are the true priority as these security patches won’t end until current generations are phased out entirely.