The Inquirer

Security boffins uncover seven more Spectre and Meltdown attacks

And some have yet to be fully mitigated

IT crowd computer on fire
Meltdown and Spectre just won't go away
  • Roland Moore-Colyer
  • Roland Moore-Colyer
0 Comments

SECURITY BOFFINS have discovered another seven ways that the Meltdowns and Spectre vulnerabilities could be exploited by hackers if mitigations aren't in place.

Like a crap gift that won't stop giving, there has been a huge number of new ways Meltdown and Spectre attacks can be used against ARM, AMD and Intel chips.

The team of nine security researchers explained that two of the new attacks affect the Meltdown vulnerability, while the other five are variations on the original Spectre exploit.

"Recent research on transient execution attacks including Spectre and Meltdown showed that exception or branch misprediction events may leave secret-dependent traces in the CPU's microarchitectural state, the clever folks said in their paper A Systematic Evaluation of Transient Execution Attacks and Defenses

"This observation led to a proliferation of new Spectre and Meltdown attack variants and even more ad-hoc defences (e.g., microcode and software patches).

"Unfortunately, both the industry and academia are now focusing on finding efficient defenses that mostly address only one specific variant or exploitation methodology. This is highly problematic, as the state-of-the-art provides only limited insight on residual attack surface and the completeness of the proposed defenses."

Some of these new attacks have protections in place to prevent them being used against targeted machines, but others have yet to be fully mitigated.

All this points towards the need to for chipmakers and software firms to keep working on ways to protect against new Spectre and Meltdown attacks as they emerge while doing as little as possible to affect processor performance.

For its part Intel doesn't seem too fussed, according to a widely-reported statement: "The vulnerabilities documented in this paper can be fully addressed by applying existing mitigation techniques for Spectre and Meltdown, including those previously documented here, and elsewhere by other chipmakers.

"Protecting customers continues to be a critical priority for us and we are thankful to the teams at Graz University of Technology, imec-DistriNet, KU Leuven, & the College of William and Mary for their ongoing research."

While we doubt we've seen the last of new Spectre and Meltdown exploits coming to the fore, there's a good chance that the easily spotted ones have all been discovered and that there will be less frequent attack variants discovered from now on. Well, that's what we hope at least. µ

Further reading

INQ Latest