Spectre Next Generation vulnerabilities affect Intel processors - gHacks Tech News

Spectre Next Generation vulnerabilities affect Intel processors

Intel is facing another wave of reported security issues that affect the company's processors. The vulnerabilities, called Spectre Next Generation or Spectre NG, have not been disclosed publicly yet.

A report on the German computer magazine site Heise suggests that eight new vulnerabilities were reported to Intel recently. Intel gave four of the eight vulnerabilities a severity rating of high and the remaining four a severity rating of medium according to Heise.

The exploitability of one of the vulnerabilities appears to be higher than that of previous issues as attackers may abuse the issue to break out of virtual machines to attack the host system or other machines, reports Heise.

Companies that provide cloud hosting or cloud services are primary targets for the vulnerability as attackers may exploit it to gain access to data transfers and data.

Intel released patches and updates for the majority of processors that it announced would receive updates to protect against the previously disclosed Spectre and Meltdown variants. Some updates are still missing, however, and it is likely that many computer systems are not yet protected against attacks.

spectre meltdown vulnerability check

One reason for that is that Microsoft has not distributed updates through Windows Updates yet. The company released standalone updates for Windows 10 but not for Windows 7 or Windows 8.1, or the recently released Windows 10 version 1803.

It appears that Windows 10 version 1809 (the next feature update for Windows 10) might include the updates.

Microsoft's track record of protecting customer devices against potential attacks is not the best. The company did release initial patches in January but retracted them after a short while. While it has released updates for some of its supported operating systems, updates for other versions are still nowhere to be seen.

Even worse, the Meltdown updates for Windows 7 and Windows Server 2008 R2 introduced a new vulnerability on patched systems that the researcher called Total Meltdown.

Heise's report suggests that Intel plans to release patches for Spectre Next Generation vulnerabilities in two batches. The first patches could be released as early as May 2018, the second patches in August 2018.

If Intel's current track record holds, it is likely that the patches will be released at different times for different processor families.

Good news is that attacks against user systems using Spectre or Meltdown exploits are not widespread and that this is probably not going to change anytime soon.

Update: An Intel spokesperson provide the following statement:

Protecting our customers’ data and ensuring the security of our products are critical priorities for us. We routinely work closely with customers, partners, other chipmakers and researchers to understand and mitigate any issues that are identified, and part of this process involves reserving blocks of CVE numbers. We believe strongly in the value of coordinated disclosure and will share additional details on any potential issues as we finalize mitigations. As a best practice, we continue to encourage everyone to keep their systems up-to-date.

Closing Words

Be prepared for another round of updates that patch Spectre issues and side-effects such as performance drops. It seems likely that the eight new vulnerabilities are not the last that we will see in the coming years.

Now You: How do you deal with Spectre and Meltdown? (via Born)

Related articles

Summary
Spectre Next Generation vulnerabilities affect Intel processors
Article Name
Spectre Next Generation vulnerabilities affect Intel processors
Description
Intel is facing another wave of reported security issues in its processors. The vulnerabilities, called Spectre Next Generation or Spectre NG, have not been disclosed publicly yet.
Author
Publisher
Ghacks Technology News
Logo

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:

Comments

  1. chesscanoe said on May 3, 2018 at 12:32 pm
    Reply

    No more Windows 10 alpha testing for me, and I do not mean insider. Microsoft apparently chose to release 1803 without the Spectre fixes available for 1709 for my chipset. Meeting an April deadline by lowering the bar for security protection is not an acceptable practice to me.

    1. Martin said on May 3, 2018 at 2:25 pm
      Reply

      Yeah, this and the fact that they ruined VPN connections on 1803 is just another reason to switch to last version, or Linux. Stupid SaaS, takes less time to install W10 than to secure it from MS spying/telemetry/auto installs etc.

  2. Gerard said on May 3, 2018 at 12:54 pm
    Reply

    When did Intel and Microsoft (and other OS developers) first know about these new (?) vulnerabilities?
    Anyway, my next computer won’t have an Intel CPU.

    1. Julien said on May 3, 2018 at 1:34 pm
      Reply

      “Anyway, my next computer won’t have an Intel CPU.”
      I’d like to buy a new laptop computer with an AMD CPU but the AMD CPUs for laptops are not very powerful, as far as I know.

      1. Arthur said on May 3, 2018 at 3:02 pm
        Reply

        AMDs Ryzen Mobile chips are excellent, but many OEMs put them in low end laptops (or ignore them entirely), because many non tech savvy people still have the outdated idea that Intel is superior to AMD…

  3. Cinikal said on May 3, 2018 at 1:32 pm
    Reply

    Sooo…maybe browser or a better firewall?

    1. dark said on May 3, 2018 at 4:46 pm
      Reply

      pfSense router.

  4. Cinikal said on May 3, 2018 at 1:42 pm
    Reply

    Anyone Know a good Linux Distro for tablets?

    1. dark said on May 3, 2018 at 4:42 pm
      Reply

      Check Linux Mint or Manjaro.

    2. AnorKnee Merce said on May 3, 2018 at 5:14 pm
      Reply

      @ Cinikal

      Most touchscreen tablets use ARM chips, ie not keyboard-n-mouse, not Intel/AMD x86 chips. They may not be suitable for running a Linux desktop distro.
      ……. Debian, Ubuntu and Archlinux supports Linux on ARM but not fully(= still in development), eg …
      https://www.cnx-software.com/2014/12/28/ubuntu-nexus-9-tablet/
      https://www.cio.com/article/3023350/linux/running-desktop-linux-on-a-tablet-a-lid-for-every-pot.html
      https://www.linux-arm.info/index.php/tablet

      1. Cinikal said on May 3, 2018 at 11:08 pm
        Reply

        @AnorKnee Merce I realize but this came with 8.1 and now running W10. Biggest problem is its a Bay Trail system with 32 bit UEFI.

        @dark thanks will take another look.

      2. AnorKnee Merce said on May 4, 2018 at 11:59 am
        Reply

        @ Cinikal

        For an example, please refer to ….. https://forums.linuxmint.com/viewtopic.php?t=257572 ( ASUS T100TAF cannot boot USB with Mint) , ie you need to first install the bootia32.efi or 32bit UEFI bootloader file.

  5. Cinikal said on May 3, 2018 at 1:47 pm
    Reply

    And before anyone starts preaching how that wont help gfy!

  6. someone said on May 3, 2018 at 2:31 pm
    Reply

    This Intel vulnerability thing is getting ridiculous… I need to buy a computer but I am forced to wait for next generations of intel CPU’s that hopefully will fix this.

    1. daven said on May 4, 2018 at 3:17 am
      Reply

      just buy it and manage your information appropriately. Presumably you dont ‘have’ to put your deepest darkest state secrets in there. If you do, keep the thing isolated from the internet. Done.

      1. someone said on May 4, 2018 at 5:13 pm
        Reply

        I’m not worried about revealing my top secrets lol just performance loss caused by buggy fixes.

    2. AnorKnee Merce said on May 4, 2018 at 12:01 pm
      Reply

      @ someone

      Better to buy a new computer based on AMD processors.

  7. Leo said on May 3, 2018 at 2:59 pm
    Reply

    Intel/OEMs are still selling (record sales according to Intel) the defective chips. Their 2019 models are supposedly Spectre free as they will have newly designed chips (that is their claim).

    W10 is not going to save every home/small business Intel system as many were older processors upgraded via GWX. No BIOS fix for these critters. Some enterprise have already upgraded to W10 on either older hardware or new 2018 Intel hardware so they remain vulnerable to Spectre.

    The large enterprise still on W7/64 (the vast majority of Microsoft’s clients) are vulnerable to Spectre as these systems are probably more than 5 years old. The most probable target for most Spectre exploits – if and when they come.

    There is no place to hide. Intel has screwed everybody and continues to do so in 2018.

  8. Dave said on May 3, 2018 at 5:18 pm
    Reply

    Martin,

    Why did you use the word “majority” when surely you must know this to be false?

    “Intel released patches and updates for the majority of processors that protect against the previously disclosed Spectre and Meltdown variants.”

    1. Martin Brinkmann said on May 3, 2018 at 5:29 pm
      Reply

      You are right, I should have been clearer.

  9. Anonymous said on May 3, 2018 at 7:21 pm
    Reply

    Off-Topic: Something apparently got changed at Ghacks during the past 24 hours.

    Now, trying to load any Ghacks webpage will consistently freeze my browser indefinitely, as well as hog 25% of the CPU. As such, I’m forced to kill the browser process via Task Manager.

    To prevent Ghacks from freezing the browser, I have to disable Javascript. Can this be rectified ? Visiting Ghacks never used to freeze my browser. Thanks !

    1. Martin Brinkmann said on May 3, 2018 at 7:54 pm
      Reply

      Hi, can you provide details? How old is the device, which browser do you use, does it happen on the homepage and article pages?

      1. Martin Brinkmann said on May 3, 2018 at 8:09 pm
        Reply

        Also, do you get the same issues on https://www.maketecheasier.com/ ?

    2. daven said on May 4, 2018 at 3:19 am
      Reply

      yes that happened to me last night as well. Using old version of palemoon, old version of firefox, and current version of chrome. Happened on homepage AND articles.

    3. AnorKnee Merce said on May 5, 2018 at 9:35 am
      Reply

      @ Anonymous & daven

      Are you using Win 10 1803.? There are many reports of freezing problems with Win 10 1803.

      I have no problem with ghacks = LM 17.3 32bit/Firefox 52ESR/Intel Core2Duo

  10. Stefan said on May 4, 2018 at 6:22 am
    Reply

    Spectre has been around since 1985 so why worry ?

    1. Anonymous said on May 4, 2018 at 11:32 am
      Reply

      Spectre has been around since human was born.

  11. It's okay to not support Intel Management Engine said on May 4, 2018 at 5:10 pm
    Reply

    Hold my glass until the next batch of Intel management engine remote exploits come it in 2019… (someone gotta quote this prediction in 2019 I WAS RIGHT)

  12. Anonymous said on May 4, 2018 at 10:45 pm
    Reply

    Starting from 03 May 2018, indefinite browser-freezing occurs on every Ghacks page (including homepage), unless Javascript is disabled beforehand (where possible).

    Same browser specs as daven (above). Browsers are 32-bit on 64-bit OS. Device (laptop with dual GPUs) was manufactured in 2010, no Meltdown-Spectre patches applied.

    No problems with loading MakeTechEasier. Even even with Javascript enabled, its webpages all load instantly — in fact, faster than Ghacks before this browser-freezing issue started occurring at Ghacks.

    Also, now it seems impossible to reply in-place to a particular comment. Previously, clicking Reply will result in the Reply box appearing directly below the comment being replied to, & the Reply box will show a ‘Cancel Reply’ option.

    But now, the Reply box remains by default at the bottom of all comments without any ‘Cancel Reply’ option, so I’m not sure if this reply will appear at the correct position. Perhaps this atypical behaviour is due to Javascript being disabled (in order to load Ghacks without freezing the browser).

    1. Martin Brinkmann said on May 5, 2018 at 7:34 am
      Reply

      Thanks for your report. Does this happen in a single browser or in multiple browsers? Can you open the Developer Tools of the browser and check whether “network” displays any third-party JavaScript that misbehaves (e.g. loads indefinitely).

      Alternatively, can you disable all third-party JavaScript but not JavaScript on Ghacks to determine whether this is caused by a third-party script or JavaScript that runs on the site.

      1. Anonymous said on May 8, 2018 at 9:46 pm
        Reply

        @ Martin Brinkmann — As of now (08 May 2018, 7+ pm UTC), I’m able to access Ghacks without having to disable Javascript first. Nothing changed on my system, so something must have changed at Ghacks’ backend.

        During the past few days, the browser always froze at the point of “Transferring data from cdn.ghacks.net …”. But it wasn’t possible to get any meaningful info via the pre-opened ‘Developer Tools > Network’ panel, because simply accessing any Ghacks page would freeze the browser instantly & indefinitely, requiring a killing of the browser process via Task Manager — just like what GhacksAnomalies also said below (May 6, 2018 at 1:22 am).

        The common factors amongst the 3 users (Daven, GhacksAnomalies, me) who reported here about the same issue are: older hardware, browsers based on older forks, or very RAM-greedy browsers. My machine dates to 2010, with 4 GB RAM & Win 7. Maybe some recently-introduced Ghacks-hosted Javascript code(s) used too much memory.

        Thanks for looking into the issue, & removing/ replacing the problematic Javascript.

      2. Martin Brinkmann said on May 8, 2018 at 9:51 pm
        Reply

        I’m happy that you are no longer experiencing the issue. Work on the site will continue.

  13. GhacksAnomalies said on May 6, 2018 at 1:22 am
    Reply

    I had the same problem running from an very old PC, very old Windows, very old Firefox, which is much different than most are using, still I had the same problem with “www.ghacks.net” allowed, I couldn’t check out anything because the RAM usage surged and CPU took all resources so there was no other way than kill the browser process.

    This reply is written with only “cdn.ghacks.net” allowed.

    BTW, I noticed for some week ago that Ghacks didn’t show up properly in browser, I finally figured out that the encryption for “www.ghacks.net” and “cdn.ghacks.net” were different, I had one of the encryptions turned of so the “cdn.ghacks.net” wouldn’t load unless I enabled that particular encryption used for the CDN, but this was also rectified last week so I didn’t have to to turn on that particular encryption anymore to make the Ghacks page look normal.

    You had a lot of changes to your wbe page, whether you know it or not.

  14. Anonymous said on May 19, 2018 at 10:40 pm
    Reply

    1) As observed on 19 May 2018 (8+ pm UTC), if Javascript is enabled, trying to access any Ghacks page again freezes the browser indefinitely & hogs CPU. The only way out is to kill the browser process via Task Manager.

    Is it possible to minimize the amount of Javascript being used at Ghacks ? (Unable to reply in-place above due to having to disable Javascript in order to load Ghacks.)

    2) New Issue: Ghack’s feed URL (https://www.ghacks.net/feed/) no longer works in the browser (“page isn’t redirecting properly”). This is regardless of whether cookies & Javascript are allowed or not.

    1. Martin Brinkmann said on May 20, 2018 at 5:55 am
      Reply

      Hi, thanks for your feedback. Can you try and block live.sekindo.com and let me know if this improves the loading? The feed validates just fine, however. Do you get an error message?

  15. Anonymous said on May 20, 2018 at 11:55 pm
    Reply

    Loading Ghacks is back to normal now (20 May 2018, 9+ pm UTC) — no browser freezing, even with JavaScript enabled.

    Ghacks’ feed URL is also accessible again, without any intervention on my side.

    live.sekindo.com & its other domain permutations are already blocked by my HOSTS file all along. A such, I think the browser freezing etc. recently (May 2018) may have instead been caused by some other malformed JavaScript code that appears & disappears from Ghacks from time to time.

    In any case, Sekindo has a bad reputation for serving auto-playing banner/ pop-up video malvertisments. Perhaps Ghacks should blaclist this advert server & others with a similar behaviour. Thanks !

    https://www.webmasterworld.com/google_adsense/4829350.htm
    https://www.geekstogo.com/forum/topic/357438-jsdownloader-trojan-sekindo
    https://support.avg.com/answers?id=906b0000000boB8AAI
    https://forums.malwarebytes.com/topic/175662-need-help-cant-get-rid-of-sekindo-ads
    https://malwaretips.com/threads/need-help-removing-sekindo-video-ads.56611

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.