Further Spectre and Meltdown-like flaws found
- 04 May, 2018 12:29
(Credit: Project Zero)
Researchers have found eight new flaws in computer central processing units that resemble the Meltdown and Spectre bugs revealed in January, a German computing magazine has reported.
The magazine, called c't, said it was aware of Intel Corp's plans to patch the flaws, adding that some chips designed by ARM Holdings, a unit of Japan's Softbank, might be affected, while work was continuing to establish whether Advanced Micro Devices chips were vulnerable.
Meltdown and Spectre bugs could reveal the contents of a computer's central processing unit - designed to be a secure inner sanctum - either by bypassing hardware barriers or by tricking applications into giving up secret information.
C't did not name its sources because researchers were working under so-called responsible disclosure, in which they inform companies and agree to delay publishing their findings until a patch can be found.
The magazine said Google Project Zero, one of the original collective that exposed Meltdown and Spectre in January, had found one of the flaws and that a 90-day embargo on going public with its findings would end on May 7.
Intel shares closed down slightly to US$52.28, in line with a decline in the Nasdaq Composite Index. An Intel representative declined to comment on the vulnerabilities described in c't magazine.
In a statement on its website, Intel said it routinely works closely with customers, partners, other chipmakers and researchers to mitigate any issues that are identified, and that part of the process involved reserving blocks of CVE numbers.
"We believe strongly in the value of coordinated disclosure and will share additional details on any potential issues as we finalise mitigations," the statement said.
AMD said it was aware of the media reports and was examining the issue. Google declined to comment. ARM representatives could not immediately be reached for comment.
The German magazine gave few details about the reported new flaws. When the Spectre and Meltdown flaws emerged, researchers said that additional similar flaws were likely to be found and would require patches.
"Considering what we have seen with Meltdown and Spectre, we should expect a long and painful cycle of updates, possibly even performance or stability issues," said Yuriy Bulygin, chief executive officer of hardware security firm Eclypsium and a former Intel security researcher. "Hopefully, Meltdown and Spectre led to improvements to the complicated process of patching hardware."
While no proof has yet emerged that Spectre or Meltdown were ever used by hackers in the real world, similar attacks have "become a hot, new area of research. Bad actors have probably already invested in such attacks by now," Bulygin said.
(Reporting by Douglas Busvine; additional reporting by Laharee Chatterjee in Bangalore; editing by Jane Merriman and Leslie Adler)