Intel has confirmed the discovery of at least two more side-channel security vulnerabilities relating to the Spectre family of attacks in its processors, paying out a $100,000 bug bounty to the researchers who discovered them.
The latest in a string of hardware-baked security vulnerabilities affecting the majority of the processors on the market today, Spectre 1.1 and Spectre 1.2 are, as their names suggest, sub-variants of the already-known Spectre Variant 1 side-channel vulnerability. Like their parent vulnerability, the attacks allow unprivileged code to infer the contents of memory to which it should not have access – up to and including reading passwords and cryptographic keys.
Discovered by Vladimir Kiriansky and Carl Waldspurger, who have published a paper explaining their findings, Intel has confirmed the vulnerabilities via its open-source security incident response team, paying $100,000 through its bug bounty programme. Quick to point out that the vulnerabilities potentially affect rival chips from AMD and Arm, the company has warned that ‘most modern operating systems are impacted‘ and is, as seems to be common for these vulnerabilities, relying upon a software patch to mitigate the risk rather than releasing a microcode update.
Intel has, however, pledged more regular microcode updates for its products – including, hopefully, ones which patch these latest vulnerabilities. Under its new schedule, the company will release updates every three months – giving security researchers and system administrators time to plan out how the updates will be tested and rolled out, taking a leaf from Microsoft’s monthly Patch Tuesday cycle.
To read the original article