Security Researchers at Microsoft and Google have discovered two new versions of the Spectre attack that affects processors made by the AMD, ARM, IBM and Intel. Initial whispers of the flaw were leaked online by a German Magazine earlier this month however the actual details of the flaw were discovered this week. AMD, ARM, IBM, Intel, Microsoft, RedHat and Ubuntu have released advisories explaining how the bug works and the level of severity of this flaw.
The flaw was named SpectreNG and is related to Meltdown and Spectre which were discovered last year in the first quarter. The flaws were discovered by Google and Microsoft Researchers independently and named as Variant 3a and 4.
- Variant 1: bounds check bypass (CVE-2017-5753) aka Spectre v1
- Variant 2: branch target injection (CVE-2017-5715) aka Spectre v2
- Variant 3: rogue data cache load (CVE-2017-5754) aka Meltdown
- Variant 3a: rogue system register read (CVE-2018-3640)
- Variant 4: speculative store bypass (CVE-2018-3639) aka SpectreNG
The 3a is another version of Meltdown flaw while the variant 4 is similar to Spectre and out of these variants the 4th one causes more harm although both of these flaws are due to employing speculative execution the most common feature in modern CPUs which improves the computing performance in advance by discarding the unneeded data. The variant 4 targets a different part of the speculative execution process. The data inside the “Store Buffer” inside the CPUs cache memory to be exact.
“…relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor’s data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to read privileged memory by conducting targeted cache side-channel attacks.”
“An attacker who has successfully exploited this vulnerability may be able to read privileged data across trust boundaries,” Microsoft said in a similar advisory, confirming a Red Hat assessment that the flaw could be used to break out of sandboxed environments. Microsoft also published a more in-depth blog on the Variant 4 bug.
The founder of Spectre flaw Google’s Engineer Jann Horn also published a Proof-of-Concept Code. The Variant 4 can also be exploited remotely by using JavaScript code in the browser although Microsoft said it didn’t detect any exploitation attempts.
RedHat’s explanation of Speculative Store Bypass:
Take your time to comment on this article.