The second wave of Specter-like vulnerabilities, which will take time to fix.
Preface: I didn’t find news on this topic on Habré, so I decided to translate a note from The Register about new vulnerabilities in Intel processors.
The new series of Specter-like vulnerabilities revealed last week will not be fixed for at least the next 12 days.
')
German news agency Heise, which last week reported on eight Specter-like vulnerabilities, said that Intel wants to postpone the issue of closing vulnerabilities until at least May 21.
“Intel is currently planning an agreed release on May 21, 2018. Fresh microcode updates are due for release on this day,” said Jürgen Schmidt on May 7.
Last week, Heise noted that one of the participants in the planned, coordinated release would be Google Project Zero, which has not yet happened, as far as is known from The Register.
Heise also adds that all Core-i processors (as well as Xeon processors) using microcode created since 2010 are vulnerable; Atom-based processors (including Pentium and Celeron) released since 2013.
If the disclosure of vulnerability information and patches that eliminate them, will appear in May, then Intel will not close them completely, according to Schmidt. Additional patches, the release of which is tentatively scheduled for the third quarter, are designed to protect virtual machines from external attacks.
In addition to patches at the processor level, Intel will also need patches at the operating system level.
Since the information about the presence of the original Meltdown and Specter vulnerabilities was confirmed in January of this year, it has become clear that the speculative execution of commands will sometime attract the interest of researchers.
The Register noted already in January 2018 that researcher Anders Fogh wrote about abuses of pre-emptive execution in July 2017, and shortly after the story of Specter / Meltdown happened in January, researchers Giorgi Maisuradze and Christian Rossow of the German research group CISPA published a detailed analysis of proactive execution technology based on a 2017 study.
In April, Intel reported that some Specter vulnerabilities are not removable in a number of old architectures.
The Vulture South edition asked Intel to comment on the Heise report and received a refusal to comment (in fact, a standard bureaucratic reply [note of the translator]), which states that they take security very seriously and cooperate with anyone who can or should help correct the situation. “We firmly believe in the value of consistent disclosure and will share additional information on any potential problems, as we strive to reduce the risk of loss,” the company said. “As a best practice, we continue to encourage everyone to update their systems in a timely manner.”
Thanks for the last tip, Intel. We cannot imagine anyone thinking about this before.
Intel may need some time to release the necessary patches for the major operating systems and virtualization tools, perhaps it will be the third quarter of 2018.
The new series of Specter-like vulnerabilities revealed last week will not be fixed for at least the next 12 days.
')
German news agency Heise, which last week reported on eight Specter-like vulnerabilities, said that Intel wants to postpone the issue of closing vulnerabilities until at least May 21.
“Intel is currently planning an agreed release on May 21, 2018. Fresh microcode updates are due for release on this day,” said Jürgen Schmidt on May 7.
Last week, Heise noted that one of the participants in the planned, coordinated release would be Google Project Zero, which has not yet happened, as far as is known from The Register.
Heise also adds that all Core-i processors (as well as Xeon processors) using microcode created since 2010 are vulnerable; Atom-based processors (including Pentium and Celeron) released since 2013.
If the disclosure of vulnerability information and patches that eliminate them, will appear in May, then Intel will not close them completely, according to Schmidt. Additional patches, the release of which is tentatively scheduled for the third quarter, are designed to protect virtual machines from external attacks.
In addition to patches at the processor level, Intel will also need patches at the operating system level.
Since the information about the presence of the original Meltdown and Specter vulnerabilities was confirmed in January of this year, it has become clear that the speculative execution of commands will sometime attract the interest of researchers.
The Register noted already in January 2018 that researcher Anders Fogh wrote about abuses of pre-emptive execution in July 2017, and shortly after the story of Specter / Meltdown happened in January, researchers Giorgi Maisuradze and Christian Rossow of the German research group CISPA published a detailed analysis of proactive execution technology based on a 2017 study.
In April, Intel reported that some Specter vulnerabilities are not removable in a number of old architectures.
The Vulture South edition asked Intel to comment on the Heise report and received a refusal to comment (in fact, a standard bureaucratic reply [note of the translator]), which states that they take security very seriously and cooperate with anyone who can or should help correct the situation. “We firmly believe in the value of consistent disclosure and will share additional information on any potential problems, as we strive to reduce the risk of loss,” the company said. “As a best practice, we continue to encourage everyone to update their systems in a timely manner.”
Thanks for the last tip, Intel. We cannot imagine anyone thinking about this before.
Source: https://habr.com/ru/post/358478/
All Articles