Second wave of Spectre-like CPU security flaws won't be fixed for a while
Intel needs more time and it could be Q3 before all the patches for OSes and VMs land
The new bunch of Spectre-like flaws revealed last week won't be patched for at least 12 days.
German outlet Heise, which broke news of the eight Spectre-like vulnerabilities last week has now reported that Intel wants disclosure of the flaws delayed until at least May 21.
“Intel is now planning a coordinated release on May 21, 2018. New microcode updates are due to be released on this date”, Jürgen Schmidt reported on May 7.
Last week, Heise noted that one participant in the planned coordinated release would include a Google Project Zero disclosure, which as far as The Register can discern has not yet happened.
Heise added that the bug affects any Core-i (and their Xeon derivatives) processors using microcode written since 2010; and Atom-based processors (including Pentium and Celeron) since 2013.
Fresh fright of data-spilling Spectre CPU design flaws haunt IntelREAD MORE
If disclosure and patches arrive in May, they won't complete Intel's response to the bugs, Schmidt reported. Further patches, tentatively scheduled for the third quarter, will be needed to protect VM hosts from attacks launched from guests.
In addition to microcode fixes from Intel, operating system-level patches will also be necessary.
Ever since the original Meltdown and Spectre bugs were confirmed in January, it's become clear that speculative execution has been of interest to researchers for some time.
We noted in January 2018 that researcher Anders Fogh had written on abusing speculative execution in July 2017, and shortly after the Spectre/Meltdown story blew up in January, researchers Giorgi Maisuradze and Christian Rossow from German research group CISPA published a broad analysis of speculative execution based on 2017 work separate to the Meltdown/Spectre research.
In April, Intel said some Spectre bugs were not fixable in some older architectures.
Vulture South asked Intel to comment on the Heise report, and received a non-response saying it takes security very, very seriously, is working with anyone who can or should help to fix things. "We believe strongly in the value of coordinated disclosure and will share additional details on any potential issues as we finalize mitigations," the company said. "As a best practice, we continue to encourage everyone to keep their systems up-to-date.”
Thanks for that last bit of advice, Intel. We can't imagine anyone thought of it before. ®