Each of the eight vulnerabilities have been assigned their own Common Vulnerability Enumerator (CVE) designation, and each will need to be patched separately according to German publication c’t. Intel, which has been notified of Spectre-NG, acknowledges that four of the new exploits are considered “high risk”, while the other four are “medium risk”.
At least one of the vulnerabilities is reportedly even more damaging the original Spectre exploit. “An attacker could launch exploit code in a virtual machine (VM) and attack the host system from there – the server of a cloud hoster,” writes c’t. “It could attack the VMs of other customers running on the same server.”
Google’s Project Zero team, which was instrumental in helping to uncover the original Spectre exploit, is responsible for discovering one of the new Spectre-NG variants. Project Zero adheres to a strict 90-day blackout period before publicly disclosing exploits — which Microsoft knows all too well — which means that this vulnerability will be disclosed on May 7th.
We should note that Microsoft’s Patch Tuesday is coming up on May 8th, so it’s quite possible that new mitigations for old and new versions of Spectre exploits will be presented with updates to operating systems like Windows 10. Microsoft has taken it upon itself to encourage researchers to discover such Spectre-esque vulnerabilities with a bug bounty program that offers up to a $250,000 reward.
For its part, Intel says that it is working diligently to protect its customers from future attacks. “Protecting our customers’ data and ensuring the security of our products are critical priorities for us,” said an Intel spokesperson in a statement to Threatpost. “We believe strongly in the value of coordinated disclosure and will share additional details on any potential issues as we finalize mitigations. As a best practice, we continue to encourage everyone to keep their systems up-to-date.”
Intel reportedly plans a “first wave” of patches for Spectre-NG in this month, with a second “second wave” planned for August.