New Variants Found in Spectre and Meltdown

Written by

Two new variants of the Meltdown and Spectre vulnerabilities that can allow an attacker to gain access to sensitive information have been disclosed, according to a 21 May US-CERT alert.

Google and Microsoft announced that the new variants, 3a and 4, known respectively as Meltdown and Spectre, affect the central processing unit (CPU) hardware implementations, making them vulnerable to side-channel attacks.

Security researcher for Google Project Zero, Jann Horn, reported the issue after finding a new way to attack microprocessors while testing speculative execution behavior on Intel and AMD processors.

US-CERT wrote, “Meltdown is a bug that 'melts' the security boundaries normally enforced by the hardware, affecting desktops, laptops, and cloud computers. Spectre is a flaw that an attacker can exploit to force a CPU to reveal its data.”

Rob Tate, distinguished security researcher at WhiteHat Security, said, "Once they can get code to run locally on a victim’s computer, highly skilled hackers have many tools at their disposal to expand their control and take over the machine. What made Meltdown/Spectre special was its universal nature in both working on many machines and being useful in many different scenarios on a given machine."

The vulnerabilities were assigned Common Vulnerability Exposure numbers. Variant 3a, a rogue system register read, was assigned CVE-2018-3640 while Variant 4, known as Speculative Store Bypass (SBB), was assigned CVE-2018-3639. Tate said Variant 4 is being discussed in a fairly narrow scope of accessing specific unpatched browsers' private data.

"If an attacker has access to run code on a machine, there are already a number of simpler (and more universal) techniques to try before resorting to this, and it’s far from the wide-reaching implications of the original Spectre. So, while patches should be applied when possible, Intel is right to call this a Medium," said Tate. 

The more commonly useful a vulnerability, the more it helps attackers simplify their process; thus, the easier it becomes for non-skilled hackers to compromise more computers.

In an industry where people are trained to expect speed, it's not uncommon to see the vast majority of people choose speed over security, said Renaud Deraison, co-founder and CTO of Tenable. “The speed of the chips inside our personal computers, our tablets and our phones is critical to their performance – everybody knows that."

“In this case," continued Deraison, "the vulnerabilities take advantage of the very features that make them fast. Intel optimized for performance and later learned they were facing a trade-off between security and performance."

In their security advisory, Microsoft wrote, “At the time of publication, we are not aware of any exploitable code patterns of this vulnerability class in our software or cloud service infrastructure, but we are continuing to investigate.”

What’s hot on Infosecurity Magazine?