Two security researchers have revealed details about two new Spectre-class vulnerabilities, which they’ve named Spectre 1.1 and Spectre 1.2.
Just like all the previous Meltdown and Spectre CPU bugs variations, these two take advantage of the process of speculative execution— a feature found in all modern CPUs that has the role of improving performance by computing operations in advance and later discarding unneeded data.
Spectre 1.1 and Spectre 1.2 short description
According to researchers, a Spectre 1.1 attack uses speculative execution to deliver code that overflows CPU store cache buffers in order to write and run malicious code that retrieves data from previously-secured CPU memory sections.
Spectre 1.1 is very similar to the Spectre variant 1 and 4, but the two researchers who discovered the bug say that “currently, no effective static analysis or compiler instrumentation is available to generically detect or mitigate Spectre 1.1.”
As for Spectre 1.2, researchers say this bug can be exploited to write to CPU memory sectors that are normally protected by read-only flags.
“As a result [of malicious Spectre 1.2 writes], sandboxing that depends on hardware enforcement of read-only memory is rendered ineffective,” researchers say.
To exploit, similarly to most previous Meltdown and Spectre bugs, both vulnerabilities require the presence of malicious code on a user’s PC, code responsible for running the attack. This somewhat limits the bug’s severity, but doesn’t excuse sysadmins who fail to apply patches when they’ll become available.
Bug affects Intel and ARM, most likely AMD too
Intel and ARM have publicly acknowledged that some of their CPUs are vulnerable to Spectre 1.1. AMD has not published a statement, but AMD has been historically slow at reviewing security issues. Since all Spectre attacks affected AMD CPUs, it is safe to assume that these new ones also affect AMD’s portfolio as well.
Researchers didn’t release information on CPUs impacted by Spectre 1.2. No patches are available for either bugs at the moment, but an Intel spokesperson told Bleeping Computer that its guide on handling Meltdown and Spectre flaws contains information on how developers can inspect and modify their source code to mitigate the vulnerability at the app/software level.
Microsoft, Oracle, and Red Hat have said they are still investigating if Spectre 1.1 affects data handled by their products and are looking into ways to mitigate the risk at the software level.
In their research paper (Speculative Buffer Overflows: Attacks and Defenses), the two academics who found the flaws suggested three hardware-based mitigations for preventing Spectre 1.1 attacks, and one for Spectre 1.2.
Intel has also paid the research team a bounty of $100,000 for discovering this bug part of the company’s recently launched bug bounty program, which Intel set up following the disclosure of the original Meltdown and Spectre vulnerabilities. This is one of the highest bug bounty rewards known to date.
If you’ve lost track of all the recent Meltdown and Spectre-related CPU bugs, we’ve put together the following table to help you keep track of all the variations.
|Variant||Description||CVE||Codename||Affected CPUs||More info|
|Variant 1||Bounds check bypass||CVE-2017-5753||Spectre v1||Intel, AMD, ARM||Website|
|Variant 1.1||Bounds check bypass on stores||CVE-2018-3693||Spectre 1.1||Intel, ARM||Paper|
|Variant 1.2||Read-only protection bypass||CVE unknown||Spectre 1.2||Intel, ARM||Paper|
|Variant 2||Branch target injection||CVE-2017-5715||Spectre v2||Intel, AMD, ARM||Website|
|Variant 3||Rogue data cache load||CVE-2017-5754||Meltdown||Intel||Website|
|Variant 3a||Rogue system register read||CVE-2018-3640||–||Intel, AMD, ARM, IBM||Mitre|
|Variant 4||Speculative store bypass||CVE-2018-3639||SpectreNG||Intel, AMD, ARM, IBM||Microsoft blog post|