Spectre Next Generation vulnerabilities affect Intel processors
Intel is facing another wave of reported security issues that affect the company's processors. The vulnerabilities, called Spectre Next Generation or Spectre NG, have not been disclosed publicly yet.
A report on the German computer magazine site Heise suggests that eight new vulnerabilities were reported to Intel recently. Intel gave four of the eight vulnerabilities a severity rating of high and the remaining four a severity rating of medium according to Heise.
The exploitability of one of the vulnerabilities appears to be higher than that of previous issues as attackers may abuse the issue to break out of virtual machines to attack the host system or other machines, reports Heise.
Companies that provide cloud hosting or cloud services are primary targets for the vulnerability as attackers may exploit it to gain access to data transfers and data.
Intel released patches and updates for the majority of processors that it announced would receive updates to protect against the previously disclosed Spectre and Meltdown variants. Some updates are still missing, however, and it is likely that many computer systems are not yet protected against attacks.
One reason for that is that Microsoft has not distributed updates through Windows Updates yet. The company released standalone updates for Windows 10 but not for Windows 7 or Windows 8.1, or the recently released Windows 10 version 1803.
It appears that Windows 10 version 1809 (the next feature update for Windows 10) might include the updates.
Microsoft's track record of protecting customer devices against potential attacks is not the best. The company did release initial patches in January but retracted them after a short while. While it has released updates for some of its supported operating systems, updates for other versions are still nowhere to be seen.
Even worse, the Meltdown updates for Windows 7 and Windows Server 2008 R2 introduced a new vulnerability on patched systems that the researcher called Total Meltdown.
Heise's report suggests that Intel plans to release patches for Spectre Next Generation vulnerabilities in two batches. The first patches could be released as early as May 2018, the second patches in August 2018.
If Intel's current track record holds, it is likely that the patches will be released at different times for different processor families.
Good news is that attacks against user systems using Spectre or Meltdown exploits are not widespread and that this is probably not going to change anytime soon.
Update: An Intel spokesperson provide the following statement:
Protecting our customers’ data and ensuring the security of our products are critical priorities for us. We routinely work closely with customers, partners, other chipmakers and researchers to understand and mitigate any issues that are identified, and part of this process involves reserving blocks of CVE numbers. We believe strongly in the value of coordinated disclosure and will share additional details on any potential issues as we finalize mitigations. As a best practice, we continue to encourage everyone to keep their systems up-to-date.
Closing Words
Be prepared for another round of updates that patch Spectre issues and side-effects such as performance drops. It seems likely that the eight new vulnerabilities are not the last that we will see in the coming years.
Now You: How do you deal with Spectre and Meltdown? (via Born)
Related articles
- Find out if your Windows PC is affected by Meltdown/Spectre vulnerabilities
- Linus Torvalds calls Intel’s Spectre/Meltdown patches utter garbage
- New InSpectre release reveals if microcode updates are available
I’m not sure exactly why but this web site is loading extremely slow for me. Is anyone else having this problem or is it a issue on my end? I’ll check back later and see if the problem still exists.
Excellent blog here! Also your web site loads up very fast!
What host are you using? Can I get your affiliate link to your host?
I wish my site loaded up as fast as yours lol
Loading Ghacks is back to normal now (20 May 2018, 9+ pm UTC) — no browser freezing, even with JavaScript enabled.
Ghacks’ feed URL is also accessible again, without any intervention on my side.
live.sekindo.com & its other domain permutations are already blocked by my HOSTS file all along. A such, I think the browser freezing etc. recently (May 2018) may have instead been caused by some other malformed JavaScript code that appears & disappears from Ghacks from time to time.
In any case, Sekindo has a bad reputation for serving auto-playing banner/ pop-up video malvertisments. Perhaps Ghacks should blaclist this advert server & others with a similar behaviour. Thanks !
https://www.webmasterworld.com/google_adsense/4829350.htm
https://www.geekstogo.com/forum/topic/357438-jsdownloader-trojan-sekindo
https://support.avg.com/answers?id=906b0000000boB8AAI
https://forums.malwarebytes.com/topic/175662-need-help-cant-get-rid-of-sekindo-ads
https://malwaretips.com/threads/need-help-removing-sekindo-video-ads.56611
1) As observed on 19 May 2018 (8+ pm UTC), if Javascript is enabled, trying to access any Ghacks page again freezes the browser indefinitely & hogs CPU. The only way out is to kill the browser process via Task Manager.
Is it possible to minimize the amount of Javascript being used at Ghacks ? (Unable to reply in-place above due to having to disable Javascript in order to load Ghacks.)
2) New Issue: Ghack’s feed URL (https://www.ghacks.net/feed/) no longer works in the browser (“page isn’t redirecting properly”). This is regardless of whether cookies & Javascript are allowed or not.
Hi, thanks for your feedback. Can you try and block live.sekindo.com and let me know if this improves the loading? The feed validates just fine, however. Do you get an error message?
Not sure when it started, but Ghacks is again freezing the browser & using high CPU, when Javascript is enabled. The only way out is to kill the browser process via Task Manager.
This time, the freezing occurs only at the homepage & all of the category pages (ie. hyperlinks at top of Ghacks webpage).
Individual article pages if loaded from direct links are not affected, even with Javascript enabled.
As of 28 May 2018 9+ pm UTC, Ghacks (including this page) loads fine with JavaScript enabled — except for 1 particular page: https://www.ghacks.net/privacy-policy
As soon as the ‘Privacy Policy’ page is accessed, the browser freezes & CPU usage hits 25% indefinitely. There is no error message — just instant, prolonged freezing which renders the browser unusable. Once again, the only way out is to kill the browser process via Task Manager.
The ‘Privacy Policy’ loads OK only when JavaScript is disabled beforehand. Perhaps it might provide some clues as to which JavaScript codes are misbehaving or incompatible with certain system configurations.
I had the same problem running from an very old PC, very old Windows, very old Firefox, which is much different than most are using, still I had the same problem with “www.ghacks.net” allowed, I couldn’t check out anything because the RAM usage surged and CPU took all resources so there was no other way than kill the browser process.
This reply is written with only “cdn.ghacks.net” allowed.
BTW, I noticed for some week ago that Ghacks didn’t show up properly in browser, I finally figured out that the encryption for “www.ghacks.net” and “cdn.ghacks.net” were different, I had one of the encryptions turned of so the “cdn.ghacks.net” wouldn’t load unless I enabled that particular encryption used for the CDN, but this was also rectified last week so I didn’t have to to turn on that particular encryption anymore to make the Ghacks page look normal.
You had a lot of changes to your wbe page, whether you know it or not.
Starting from 03 May 2018, indefinite browser-freezing occurs on every Ghacks page (including homepage), unless Javascript is disabled beforehand (where possible).
Same browser specs as daven (above). Browsers are 32-bit on 64-bit OS. Device (laptop with dual GPUs) was manufactured in 2010, no Meltdown-Spectre patches applied.
No problems with loading MakeTechEasier. Even even with Javascript enabled, its webpages all load instantly — in fact, faster than Ghacks before this browser-freezing issue started occurring at Ghacks.
Also, now it seems impossible to reply in-place to a particular comment. Previously, clicking Reply will result in the Reply box appearing directly below the comment being replied to, & the Reply box will show a ‘Cancel Reply’ option.
But now, the Reply box remains by default at the bottom of all comments without any ‘Cancel Reply’ option, so I’m not sure if this reply will appear at the correct position. Perhaps this atypical behaviour is due to Javascript being disabled (in order to load Ghacks without freezing the browser).
Thanks for your report. Does this happen in a single browser or in multiple browsers? Can you open the Developer Tools of the browser and check whether “network” displays any third-party JavaScript that misbehaves (e.g. loads indefinitely).
Alternatively, can you disable all third-party JavaScript but not JavaScript on Ghacks to determine whether this is caused by a third-party script or JavaScript that runs on the site.
@ Martin Brinkmann — As of now (08 May 2018, 7+ pm UTC), I’m able to access Ghacks without having to disable Javascript first. Nothing changed on my system, so something must have changed at Ghacks’ backend.
During the past few days, the browser always froze at the point of “Transferring data from cdn.ghacks.net …”. But it wasn’t possible to get any meaningful info via the pre-opened ‘Developer Tools > Network’ panel, because simply accessing any Ghacks page would freeze the browser instantly & indefinitely, requiring a killing of the browser process via Task Manager — just like what GhacksAnomalies also said below (May 6, 2018 at 1:22 am).
The common factors amongst the 3 users (Daven, GhacksAnomalies, me) who reported here about the same issue are: older hardware, browsers based on older forks, or very RAM-greedy browsers. My machine dates to 2010, with 4 GB RAM & Win 7. Maybe some recently-introduced Ghacks-hosted Javascript code(s) used too much memory.
Thanks for looking into the issue, & removing/ replacing the problematic Javascript.
I’m happy that you are no longer experiencing the issue. Work on the site will continue.
Hold my glass until the next batch of Intel management engine remote exploits come it in 2019… (someone gotta quote this prediction in 2019 I WAS RIGHT)
Spectre has been around since 1985 so why worry ?
Spectre has been around since human was born.
Off-Topic: Something apparently got changed at Ghacks during the past 24 hours.
Now, trying to load any Ghacks webpage will consistently freeze my browser indefinitely, as well as hog 25% of the CPU. As such, I’m forced to kill the browser process via Task Manager.
To prevent Ghacks from freezing the browser, I have to disable Javascript. Can this be rectified ? Visiting Ghacks never used to freeze my browser. Thanks !
@ Anonymous & daven
Are you using Win 10 1803.? There are many reports of freezing problems with Win 10 1803.
I have no problem with ghacks = LM 17.3 32bit/Firefox 52ESR/Intel Core2Duo
yes that happened to me last night as well. Using old version of palemoon, old version of firefox, and current version of chrome. Happened on homepage AND articles.
Hi, can you provide details? How old is the device, which browser do you use, does it happen on the homepage and article pages?
Also, do you get the same issues on https://www.maketecheasier.com/ ?
Martin,
Why did you use the word “majority” when surely you must know this to be false?
“Intel released patches and updates for the majority of processors that protect against the previously disclosed Spectre and Meltdown variants.”
You are right, I should have been clearer.
Intel/OEMs are still selling (record sales according to Intel) the defective chips. Their 2019 models are supposedly Spectre free as they will have newly designed chips (that is their claim).
W10 is not going to save every home/small business Intel system as many were older processors upgraded via GWX. No BIOS fix for these critters. Some enterprise have already upgraded to W10 on either older hardware or new 2018 Intel hardware so they remain vulnerable to Spectre.
The large enterprise still on W7/64 (the vast majority of Microsoft’s clients) are vulnerable to Spectre as these systems are probably more than 5 years old. The most probable target for most Spectre exploits – if and when they come.
There is no place to hide. Intel has screwed everybody and continues to do so in 2018.
This Intel vulnerability thing is getting ridiculous… I need to buy a computer but I am forced to wait for next generations of intel CPU’s that hopefully will fix this.
@ someone
Better to buy a new computer based on AMD processors.
just buy it and manage your information appropriately. Presumably you dont ‘have’ to put your deepest darkest state secrets in there. If you do, keep the thing isolated from the internet. Done.
I’m not worried about revealing my top secrets lol just performance loss caused by buggy fixes.
And before anyone starts preaching how that wont help gfy!
Anyone Know a good Linux Distro for tablets?
@ Cinikal
Most touchscreen tablets use ARM chips, ie not keyboard-n-mouse, not Intel/AMD x86 chips. They may not be suitable for running a Linux desktop distro.
……. Debian, Ubuntu and Archlinux supports Linux on ARM but not fully(= still in development), eg …
https://www.cnx-software.com/2014/12/28/ubuntu-nexus-9-tablet/
https://www.cio.com/article/3023350/linux/running-desktop-linux-on-a-tablet-a-lid-for-every-pot.html
https://www.linux-arm.info/index.php/tablet
@AnorKnee Merce I realize but this came with 8.1 and now running W10. Biggest problem is its a Bay Trail system with 32 bit UEFI.
@dark thanks will take another look.
@ Cinikal
For an example, please refer to ….. https://forums.linuxmint.com/viewtopic.php?t=257572 ( ASUS T100TAF cannot boot USB with Mint) , ie you need to first install the bootia32.efi or 32bit UEFI bootloader file.
Check Linux Mint or Manjaro.
Sooo…maybe browser or a better firewall?
pfSense router.
When did Intel and Microsoft (and other OS developers) first know about these new (?) vulnerabilities?
Anyway, my next computer won’t have an Intel CPU.
“Anyway, my next computer won’t have an Intel CPU.”
I’d like to buy a new laptop computer with an AMD CPU but the AMD CPUs for laptops are not very powerful, as far as I know.
https://www.pcgamer.com/dells-newest-laptops-pack-ryzen-cpus-with-integrated-radeon-vega-graphics/
AMDs Ryzen Mobile chips are excellent, but many OEMs put them in low end laptops (or ignore them entirely), because many non tech savvy people still have the outdated idea that Intel is superior to AMD…
No more Windows 10 alpha testing for me, and I do not mean insider. Microsoft apparently chose to release 1803 without the Spectre fixes available for 1709 for my chipset. Meeting an April deadline by lowering the bar for security protection is not an acceptable practice to me.
Security of every system is key and when its compromised, things are not the same again.
Yeah, this and the fact that they ruined VPN connections on 1803 is just another reason to switch to last version, or Linux. Stupid SaaS, takes less time to install W10 than to secure it from MS spying/telemetry/auto installs etc.