In January of 2018, the world was introduced to two game-changing CPU vulnerabilities, Spectre and Meltdown, that brought “speculative execution side-channel vulnerability” into the enterprise IT security lexicon. Since then, a number of variants of the initial vulnerabilities have been found, along with new vulnerabilities taking advantage of similar functions within the CPUs.
Intel kicked off 2019 with a Jan. 2 editorial laying out its response to the Spectre and Meltdown vulnerabilities over the past year. The chip giant says the culture of the company has changed since the advent of Spectre and Meltdown, and its response has been effective. But vulnerabilities in the core of a CPU tend not to lend themselves too rapid, complete fixes, Intel says.
Read more about Intel’s response to Meltdown & Spectre on DarkReading.
The now-infamous Spectre and Meltdown vulnerabilities were first disclosed on January 4, 2018. The duo busted open the door on what is collectively known as “transient execution attacks,” which have proven difficult to patch. Fundamentally, as Spectre and Meltdown are hardware-level vulnerabilities, patching around them in software is an order of magnitude more difficult than software vulnerabilities.
Available mitigations are a work-in-progress. It is unclear if the vulnerabilities can be completely patched through microcode and software updates. The biggest hope for a definite fix to the issue is new hardware.
Read more about the problems with patches for vulnerabilities allowing for transient execution attacks on TechRepublic.
Researchers have discovered a new variation of the Spectre CPU vulnerability that can be exploited via browser-based code. This new CPU vulnerability is, too, a design flaw in the microarchitecture of modern processors that can be exploited by attacking the process of “speculative execution,” an optimization technique used to improve CPU performance.
The vulnerability, which researchers codenamed SplitSpectre, is a variation of the original Spectre v1 vulnerability discovered last year. The difference in SplitSpectre is not in what parts of a CPU’s microarchitecture the flaw targets, but how the attack is carried out.
Read more about the SplitSpectre CPU attack on ZDNet.
A team of nine academics has revealed today seven new CPU attacks. The seven impact AMD, ARM, and Intel CPUs to various degrees. Two of the seven new attacks are variations of the Meltdown attack, while the other five are variations on the original Spectre attack — two well-known attacks that have been revealed at the start of the year and found to impact CPUs models going back to 1995.
Researchers say they’ve discovered the seven new CPU attacks while performing “a sound and extensible systematization of transient execution attacks” — a catch-all term the research team used to describe attacks on the various internal mechanisms that a CPU uses to process data.
Read more about the new Meltdown and Spectre attacks on ZDNet.