Industry braces for impact, as firm develops microcode updates

Intel is reportedly prepping a batch of fixes to address Spectre-like vulnerabilities in its processors.

The eight vulnerabilities – four rated as high risk and four medium – won’t be addressed by Intel until at least May 21. The release was originally scheduled for May 7, but has been delayed to allow more time to develop microcode updates and coordinate patching.

The so-called ‘Spectre Next Generation’ (Spectre-NG) vulnerabilities affect Core-i and their Xeon derivate processors released since 2010 and Atom-based processors (including Pentium and Celeron) from 2013 onwards.

German news outlet Heise adds (Google translation here) that Spectre-NG also affects cloud operators and multi-tenant environments.

Operating system-level patches will be needed to shore up defenses on top of the microcode fixes from Intel.

Intel’s response to the bugs won’t be completed next week – even assuming the patches arrive on time. Patches to protect virtual machine hosts from attacks launched from guests, slated for delivery in August, will also be needed.

Intel has acknowledged but is yet to respond to a request for comment from The Daily Swig.

More clarity on the extent of the problem will likely only come with the release of patches themselves, which will reveal if AMD and ARM processors (affected by the original Spectre vulnerability) are also at risk.

The situation has left the industry bracing for impact, the severity of which remains unclear.

“It’s worth saying that these issues are not trivial to fix. Intel must be wondering how many more are going to come to light,” Professor Alan Woodward of the University of Surrey told The Daily Swig.

When it comes to dealing with the Meltdown and Spectre vulnerabilities, the computer scientist added that Intel was taking the only approach available. 

“You can’t realistically recall all the hardware, so patches to the lowest levels of code run by operating systems is the only way if solving the problem,” Professor Woodward explained.

“And, of course, in some cases (as we saw with the original Spectre) it can be a case of mitigating the impact rather than truly solving the problem. That gives an idea of how deep seated these issues are.”

Professor Woodward expressed concerns that Spectre-NG would be addressed in two waves with the most severe vulnerabilities – in cloud-based environments – remains unresolved until as late as August.

“The concern is that it appears as if the patches are being rolled out in two waves, and it is the more severe issues that will be in wave two,” Professor Woodward said.

“I’ve seen reports that this may not be until August. Again, an indication of just how difficult these are to even mitigate.”

Cheat sheet: Meltdown and Spectre

The Meltdown and Spectre processor vulnerabilities have shaken up the industry since they were disclosed in January.

Meltdown breaks the isolation between user applications and portions of protected kernel memory. Spectre, which is harder to exploit but potentially more dangerous, knocks down the isolation between different applications.

The flaws might be exploited by malicious applications or rogue JavaScript to steal secrets such as passwords from vulnerable systems.

Spectre – so named because it involves flaws in the speculative execution technology that have been used for years to speed the execution of tasks – affects a range of processor makers including AMD and ARM as well as Intel.

Mitigating the effects of Meltdown and Spectre have involved the development of software fixes that have by design slowed down the operation of some systems. Intel admitted last month that some Spectre bugs were not fixable in some older architectures.