Are 8 new 'Spectre-class' flaws in Intel CPUs about to be exposed?

Reports are emerging of eight new 'Spectre-class' security CPU vulnerabilities.
Written by Liam Tung, Contributing Writer

Video: New 'Spectre-class' flaws in Intel CPUs might be revealed soon

A report by German tech site heise.de says Intel's CPUs are affected by eight new "Spectre-class" vulnerabilities, including one found by Google's Project Zero, which identified the first set of CPU flaws known as Meltdown and Spectre.

The site reports that the bugs have been assigned CVE identifiers and that at least one of them will be revealed by Project Zero on May 7, a day ahead of Patch Tuesday, which Microsoft recently begun using to distribute Intel's hardware patches or microcode updates.

The site says it has concrete evidence that Intel processors are vulnerable to the new flaws and that the chipmaker has patches in the works. AMD CPUs may also be vulnerable and further research on that issue is under way.

See: Special report: Cybersecurity in an IoT and mobile world (free PDF)

Intel has issued a cryptic statement titled "addressing questions regarding additional security issues".

"Protecting our customers' data and ensuring the security of our products are critical priorities for us. We routinely work closely with customers, partners, other chipmakers and researchers to understand and mitigate any issues that are identified, and part of this process involves reserving blocks of CVE numbers," wrote Leslie Culbertson, Intel executive vice president.

"We believe strongly in the value of coordinated disclosure and will share additional details on any potential issues as we finalize mitigations. As a best practice, we continue to encourage everyone to keep their systems up to date."

According to Heise, four of the vulnerabilities are being treated as "high risk" and, as with the previously found Spectre flaws, they impact cloud providers due to an ability to attack a host system from a virtual machine, allowing an attacker to extract secrets and passwords from the host machine's memory.

Spectre Variant 2, a branch target injection flaw, concerns cloud providers because of the risk of it being used to enable a hypervisor bypass. Fixing it required microcode updates from Intel and AMD.

Heise notes that while the original Spectre bugs are difficult to exploit, the new Spectre vulnerabilities are more easily used.

Reports of the new bugs come just a month after Intel completed delivery of microcode updates to address Spectre Variant 2 for all chip families released in the past decade.

As of March, Microsoft has assisted Intel to deploy these updates, which were originally being deployed by hardware manufacturers.

This story has been updated to make it clear that Intel has not confirmed that it is working on mitigations for any alleged vulnerabilities.

Previous and related coverage

Microsoft to Windows users: Here are new critical Intel security updates for Spectre v2

Microsoft releases new Windows updates to address the Spectre variant 2 flaw affecting Intel chips.

Windows 10 on AMD? This new update plus Microsoft's patch block Spectre attacks

AMD has released microcode updates for Spectre variant 2 that require Microsoft's latest Windows 10 patch.

Intel: We now won't ever patch Spectre variant 2 flaw in these chips

A handful of CPU families that Intel was due to patch will now forever remain vulnerable.

Windows 7 Meltdown patch opens worse vulnerability: Install March updates now

Microsoft's Meltdown fix opened a gaping hole in Windows 7 security, warns researcher.

Intel's new Spectre fix: Skylake, Kaby Lake, Coffee Lake chips get stable microcode

Intel makes progress on reissuing stable microcode updates against the Spectre attack.

Got an old PC? Find out whether you will get Intel's latest Spectre patch TechRepublic

Intel has listed a range of CPUs released between 2007 and 2011 that will not receive a firmware update to help guard against Spectre-related exploits.

Class-action suits over Intel Spectre, Meltdown flaws surge CNET

Since the beginning of 2018, the number of cases has risen from three to 32.

Editorial standards