Intel has confirmed the discovery of at least two more side channel security vulnerabilities in relation to the Spectre family of attacks on their processors, paying a reward of 100.000, 000 to the investigators who discovered them.
The latest in a series of hardware-processed security vulnerabilities affecting most processors on the current market, Spectre 1.1 and Spectre 1.2, as its name implies, subvariants of the already known lateral channel vulnerability specter Variant 1. Like its primary vulnerability, attacks allow non-privileged code to infer the contents of the memory that it should not have access to, including read passwords and cryptographic keys.
Discovered by Vladimir Kiriansky and Carl Waldspurger, who have published a document explaining their findings, Intel has confirmed vulnerabilities through its open source security Incident Response Team, paying 100,000 dollars to Through your error rewards program.
Intel and ARM have publicly acknowledged that some of their CPUs are vulnerable to Spectre 1.1. AMD has not released a statement, but AMD has been historically slow in reviewing security issues. As all Spectre attacks affected AMD CPUs, it is safe to assume that these new ones could also affect AMD.
“Most modern operating systems are affected” and is, as seems to be common to these vulnerabilities, that it relies on a software patch to mitigate risk rather than launching a microcode update.
However, Intel has promised more regular microcode upgrades for its products, including, hopefully, those that patch these latest vulnerabilities. Under its new timeline, the company will launch updates every three months, giving time to security investigators and system administrators to plan how updates will be tested and implemented, taking a monthly cycle sheet of Microsoft Tuesday patches.