Threat researchers uncovered seven new Spectre and Meltdown-type attacks that affect Intel, AMD, and Arm CPUs to varying degrees. These include two new Meltdown variants and five new Spectre variants, according to a research paper.
The research team, which includes some of the original researchers who discovered the Spectre and Meltdown flaws back in January, evaluated all seven attacks and found “we can still mount transient execution attacks that are supposed to be mitigated by rolled out patches.” These types of attacks could allow hackers to steal sensitive data that is supposed to be secured in protected areas.
Intel says not to worry and that the earlier patches it issued address these new security flaws as well as the older hardware bugs.
“The vulnerabilities documented in this paper can be fully addressed by applying existing mitigation techniques for Spectre and Meltdown, including those previously documented here, and elsewhere by other chipmakers,” according to an emailed statement. “Protecting customers continues to be a critical priority for us and we are thankful to the teams at Graz University of Technology, imec-DistriNet, KU Leuven, and the College of William and Mary for their ongoing research.”
Arm and AMD spokespeople emailed similar statements to SDxCentral. Arm said: “The recent Spectre and Meltdown vulnerabilities identified by academic researchers can be addressed by applying existing mitigations as described previously in Arm’s white paper found here.”
“AMD is aware of the latest research published claiming new speculative execution attacks,” a spokesperson said. “AMD believes it is not vulnerable to some of these attacks because of our hardware paging architecture protections and, for those that are not solved by paging architecture protections, the mitigation is to implement our existing recommendations.”
And Chandler Carruth, a software engineer at Google, weighed in on Twitter with a tweet that supported the chip makers responses: “This uncovers suspected and expected weaknesses that have been considered & mitigated where needed. Do not panic. =]”
It shouldn’t be to surprising that researchers uncovered these new Spectre and Meltdown variants. Several subsequent similar bugs have spawned since the original discovery in January. As late as August Intel disclosed new Spectre-like vulnerabilities named Foreshadow, but said that like the earlier chip flaws they hadn’t seen a Foreshadow attack in the wild.
Shortly after Intel disclosed Foreshadow, Greg Kroah-Hartman, a fellow at the Linux Foundation, said he expects more of these types of hardware flaws will be found. Because of this, it’s critical for developers and the open source community to constantly download the latest updates and patches, he said at the Open Source Summit in August. “The kernel can only do so much,” Kroah-Hartman said. “Some things can only be fixed with Microcode.”