The bugs don’t stop. Intel says it’s working to fix new flaws affecting its processors following a report about eight additional Spectre- and Meldown-like bugs in its CPUs.
The German website Heise first reported on the flaws, which it dubbed Spectre Next Generation or Spectre-NG. Intel classified four of these as “high risk” and four as “medium,” according to the site. “Intel is already working on its own patches for Spectre-NG and developing others in cooperation with the operating system manufacturers,” it says. Intel plans to roll out the first wave of patches this month and the second in August.
Intel didn’t respond to SDxCentral’s questions about the new vulnerabilities, but a spokesperson emailed a vague statement — also posted on the company website — by Leslie Culbertson, executive vice president and general manager of product assurance and security.
“Protecting our customers’ data and ensuring the security of our products are critical priorities for us,” Culbertson wrote. “We routinely work closely with customers, partners, other chipmakers, and researchers to understand and mitigate any issues that are identified, and part of this process involves reserving blocks of CVE numbers. We believe strongly in the value of coordinated disclosure and will share additional details on any potential issues as we finalize mitigations. As a best practice, we continue to encourage everyone to keep their systems up-to-date.”
Some ARM CPUs are also vulnerable to Spectre NG, according to Heise. Researchers are still investigating if AMD’s processors are also at risk.
ARM posted a list of what it called a “small subset of ARM-designed processors” that are susceptible to the flaws and noted “the majority of ARM processors are not impacted.”
The company said it would update the site with new information as needed.
An AMD spokesperson responded via email to SDxCentral’s questions about potential vulnerabilities: “Security and protecting users’ data is of the utmost importance to AMD and we work closely across our ecosystem to evaluate potential vulnerabilities as they are discovered and develop mitigations. We are aware of recent media reports related to speculative execution exploits. We are looking into the matter and will share information as appropriate.”
Spectre, Meltdown Fallout
In response to Spectre and Meltdown, Intel CEO Brian Krzanich penned a “security first pledge” promising “transparent and timely communications” with customers about patches and “ongoing security assurance.”
The company also revamped its bug bounty program, opening up the previously invite-only program to the public and paying up to $250,000 per valid vulnerability.
And at the start of the annual RSA security conference last month, the chipmaker announced new silicon-level security technology that will do a “better job at detecting a new class of threats,” according to Rick Echevarria, vice president in the software and services group and general manager of the platforms security division at Intel.
Meanwhile, Intel is facing at least 32 class action lawsuits related to the Meltdown and Spectre CPU flaws and three other insider trading lawsuits. Krzanich sold $24 million in stock two months before publicly disclosing the chip bugs.
Cisco Catches Cryptojacking
In other security news, Cisco said its technology caught thousands of threats on Mobile World Congress’ public network, which provided Internet connectivity for the annual show’s 107,000 attendees in Barcelona, Spain in February, according to a blog post by Cisco Principal Engineer TK Keanini.
Cisco used Stealthwatch Enterprise and Encrypted Traffic Analytics to monitor the massive wireless network, and found 85 percent of web traffic was encrypted — meaning 15 percent wasn’t. Stealthwatch identified more than 30 applications using an outdated cryptographic protocol with known vulnerabilities.
“The traffic Cisco observed on Mobile World Congress’ public wireless network represents a number of trends we are seeing in the wild. A large majority of the traffic was encrypted,” Keanini wrote. This includes severe threats using encryption and applications using insecure cryptographic protocols.
“Lastly, the presence of mobile malware and cryptomining activities was significant,” he wrote. This echoes a recent report by Symantec that found cryptocurrency coin miners grew by a whopping 8,500 percent in 2017.
Cisco, in partnership with RSA, also ran the Security Operation Center at the RSA Conference last month and plans to publish a similar report about network traffic and threats crossing the wireless network at the security event.
Editor’s Note: This story has been update to include a comment from AMD received after the initial publication.