Intel’s Spectre Vulnerability Returns Like a Ghost from the Past

Gavin Phillips 14-05-2018

The massive Spectre/Meltdown revelations the opened 2018 Meltdown and Spectre Leave Every CPU Vulnerable to Attack A huge security flaw with Intel CPUs has been uncovered. Meltdown and Spectre are two new vulnerabilities that affect the CPU. You ARE affected. What can you do about it? Read More shook the computing world. While the vulnerabilities are now firmly out of the main news cycle, that is about to change. Security researchers have uncovered eight new Spectre-style vulnerabilities affecting Intel CPUs—propelling Spectre back into the security limelight.


Let’s take a look at the new Spectre vulnerabilities, how they differ from the existing issues, and what, if anything, you can do.

Spectre Next Generation

German publication Heise reports that security researchers have found eight new vulnerabilities in Intel CPUs. The new vulnerabilities, dubbed “Spectre Next Generation” (or Spectre-NG) confirm fundamental flaws in all modern processors. Heise claims that Intel has classified four of the new vulnerabilities as “high risk,” while the other four are classified “medium.”

At the current time, it is thought the Spectre-NG vulnerabilities have a similar risk and chance of attack to the original Spectre. There is, however, one exception to that.

One of the new Spectre-NG exploits simplifies an attack vector “to such an extent that we estimate the threat potential to be significantly higher than with Spectre.” An attacker can launch exploit code within a virtual machine and directly attack the host machine from within the VM. The example given is a cloud hosting server. The virtual machine could be used to attack other customers VMs in the search for passwords and other sensitive credentials.


Who Discovered Spectre-NG?

Just like Spectre/Meltdown, Google’s Project Zero first discovered Spectre-NG. Project Zero is Google’s attempt at finding and responsibly disclosing zero-day vulnerabilities before nefarious individuals. That they have found at least one of the new Spectre-NG flaws means there could well be security patches in the near future as the Project Zero team are renowned for sticking to the 90-day disclosure deadline. (The 90-days is meant to give a company ample time to address issues.)

But after that time, the Project Zero team will release details of the vulnerability, even without a working patch.

When Your System Be Patched?

Unfortunately, there is no solid timeline for when your system will receive a security patch for Spectre-NG. Given that this vulnerability is a) completely new and b) difficult to take advantage of, engineers will take some time to make sure patches resolve the issue.

In fact, Intel reportedly asked the researchers for an additional 14-days preparation before disclosing the flaws. However, the research team continued with their disclosure timeline. Intel was set to issue a patch on the 7th May. However, the additional 14-day period, taking the patch to the 21st May, also looks set to fall by the wayside. But given their request for additional time, Intel customers should expect a patch shortly.


The scope of Spectre-NG (and Spectre/Meltdown before this) make patching the vulnerability difficult How to Protect Windows From Meltdown and Spectre Security Threats Meltdown and Spectre are major security threats that affect billions of devices. Find out whether your Windows computer is affected and what you can do. Read More .

The previous series of patches for Spectre Are Spectre and Meltdown Still a Threat? The Patches You Need The Spectre and Meltdown are CPU vulnerabilities. Are we any closer to fixing these vulnerabilities? Have the patches worked? Read More didn’t meet universal praise. As the Spectre patches began to roll out, users noticed issues with their systems Revealed: How Spectre Updates Will Affect Your PC We assume you're fully aware of Meltdown and Spectre by now. Which means it's time to find out exactly how the Windows updates Microsoft has released will affect your PC... Read More . Glitches, newly created bugs, slower CPU clock speeds and more were all reported. As such, some companies withdrew their patches until they could be optimized. But with such a vast number of vulnerable CPUs providing a single Band-Aid was highly unlikely. Especially at the first attempt.

Other companies took a different approach. For instance, Microsoft now offers up to $250,000 in their bug bounty program for Spectre flaws.

Will Spectre-NG Exploit Your System?

One of the saving graces to the first round of Spectre vulnerabilities was the extreme difficulty of actually using one of the exploits against a target successfully. The average attacker wouldn’t be able to make use of Spectre (or Meltdown) because of the overwhelming amount of knowledge required. Unfortunately, this particular Spectre-NG exploit appears easier to implement—though still not an easy task, by any stretch of the imagination.


The simple fact of the matter is that there are other much easier exploitable avenues available to an attacker. Or at least the type of online attack that the majority of us would encounter day-to-day.

Still, that isn’t to diminish from the fact that the vast majority of CPUs around the globe have some form of Spectre/Meltdown or Spectre-NG vulnerability. The first round of patches is the tip of an iceberg that is unfathomably deep. Patches are obviously necessary. But an endless stream of patches with sometimes unpredictable results? That won’t do.

Check Your System Spectre/Meltdown Vulnerability Status

The InSpectre: Check Spectre and Meltdown Protection tool is a quick way to find out if your system is vulnerable. Follow the link above and download the tool. Next, run the tool and check out your level of protection. As you can see below, my laptop has Meltdown protection but is vulnerable to Spectre.


You can scroll down to find out more your PCs security situation and what Spectre/Meltdown mean.

Are AMD CPUs Vulnerable to Spectre-NG?

At the time of writing, more research into AMD CPUs is underway. There is no definitive answer. The general conjecture seems to lean toward AMD CPUs being unaffected by this particular set of vulnerabilities. But again, this isn’t a final answer.

The previous round of vulnerabilities was thought to have passed by AMD, only for the CPU manufacturer to later realize the opposite is true. So, right now; sure, you’re okay. But in a week, after more significant testing? You could well find your AMD system is vulnerable, too The New AMD Ryzen Vulnerabilities Are Real: What You Need to Know Sadly, there's a lot of truth to recent reports of critical vulnerabilities in AMD Ryzen CPUs. Read More .

Spectre Continues to Loom Large

The Spectre-NG set of vulnerabilities adds to the list of worrying CPU-level vulnerabilities. Does Intel need to fix them? Of course, without a doubt. Can Intel fix them without redesigning their CPU architecture? This is the more difficult question to answer. The consensus is that no, Intel cannot completely eradicate the Spectre vulnerability without significantly altering their CPU design.

After all, it’s not like Intel can recall and manually fix the billions of CPUs Are Any Computers Not Affected by the Meltdown and Spectre Bugs? The Meltdown and Spectre vulnerabilites have affected hardware around the globe. It seems like everything is insecure. But that isn't the case. Check out this list of secure hardware and our tips for the future. Read More in circulation. In that, Spectre will continue to loom large, even if it is difficult to exploit.

Explore more about: Computer Security, CPU.

Whatsapp Pinterest

Enjoyed this article? Stay informed by joining our newsletter!

Enter your Email

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. David Thiel
    May 15, 2018 at 9:39 pm

    Wow a VM can hijack the host and other VMs !!! Can Intel recall several billion chips?