New Spectre 1.1 and Spectre 1.2 CPU Flaws Disclosed

Two security researchers have revealed details about two new Spectre-class vulnerabilities, which they’ve named Spectre 1.1 and Spectre 1.2.

Just like all the previous Meltdown and Spectre CPU bugs variations, these two take advantage of the process of speculative execution— a feature found in all modern CPUs that has the role of improving performance by computing operations in advance and later discarding unneeded data.
Spectre 1.1 and Spectre 1.2 short description

According to researchers, a Spectre 1.1 attack uses speculative execution to deliver code that overflows CPU store cache buffers in order to write and run malicious code that retrieves data from previously-secured CPU memory sections.

Spectre 1.1 is very similar to the Spectre variant 1 and 4, but the two researchers who discovered the bug say that “currently, no effective static analysis or compiler instrumentation is available to generically detect or mitigate Spectre 1.1.”

As for Spectre 1.2, researchers say this bug can be exploited to write to CPU memory sectors that are normally protected by read-only flags.

“As a result [of malicious Spectre 1.2 writes], sandboxing that depends on hardware enforcement of read-only memory is rendered ineffective,” researchers say.

To exploit, similarly to most previous Meltdown and Spectre bugs, both vulnerabilities require the presence of malicious code on a user’s PC, code responsible for running the attack. This somewhat limits the bug’s severity, but doesn’t excuse sysadmins who fail to apply patches when they’ll become available.
Bug affects Intel and ARM, most likely AMD too

Intel and ARM have publicly acknowledged that some of their CPUs are vulnerable to Spectre 1.1. AMD has not published a statement, but AMD has been historically slow at reviewing security issues. Since all Spectre attacks affected AMD CPUs, it is safe to assume that these new ones also affect AMD’s portfolio as well.

Researchers didn’t release information on CPUs impacted by Spectre 1.2. No patches are available for either bugs at the moment, but an Intel spokesperson told Bleeping Computer that its guide on handling Meltdown and Spectre flaws contains information on how developers can inspect and modify their source code to mitigate the vulnerability at the app/software level.

Microsoft, Oracle, and Red Hat have said they are still investigating if Spectre 1.1 affects data handled by their products and are looking into ways to mitigate the risk at the software level.

In their research paper (Speculative Buffer Overflows: Attacks and Defenses), the two academics who found the flaws suggested three hardware-based mitigations for preventing Spectre 1.1 attacks, and one for Spectre 1.2.

Intel has also paid the research team a bounty of $100,000 for discovering this bug part of the company’s recently launched bug bounty program, which Intel set up following the disclosure of the original Meltdown and Spectre vulnerabilities. This is one of the highest bug bounty rewards known to date.

If you’ve lost track of all the recent Meltdown and Spectre-related CPU bugs, we’ve put together the following table to help you keep track of all the variations.


Variant Description CVE Codename Affected CPUs More info
Variant 1 Bounds check bypass CVE-2017-5753 Spectre v1 Intel, AMD, ARM Website
Variant 1.1 Bounds check bypass on stores CVE-2018-3693 Spectre 1.1 Intel, ARM Paper
Variant 1.2 Read-only protection bypass CVE unknown Spectre 1.2 Intel, ARM Paper
Variant 2 Branch target injection CVE-2017-5715 Spectre v2 Intel, AMD, ARM Website
Variant 3 Rogue data cache load CVE-2017-5754 Meltdown Intel Website
Variant 3a Rogue system register read CVE-2018-3640 Intel, AMD, ARM, IBM Mitre
Variant 4 Speculative store bypass CVE-2018-3639 SpectreNG Intel, AMD, ARM, IBM Microsoft blog post