It’s been over 15 months since the Spectre and Meltdown processor vulnerabilities were revealed to software and hardware makers and close to a year since they were made known to the wider public. The weaknesses, which allow malware to potentially access data from within a wide variety of CPUs, might not have caused computing armageddon but researchers are finding new flaws in processors affected by these issues.
Spectre and Meltdown are the collective names for three different vulnerabilities found in the processors powering a vast number of the computing devices we rely on, from desktop and notebook PCs through to smartphones and other gadgets. </p> <p>What follows is a plain English guide to Spectre and Meltdown.Read more
A team of academics have been looking at the two families of processor vulnerabilities and found another seven, potentially exploitable variants which they have demonstrated with proof of concept code. In other words, while there are no known attacks using these vulnerabilities, they have shown that it might be possible to use them in an attack.
The research paper, A Systematic Evaluation of Transient Execution Attacks and Defenses, details the seven new Spectre and Meltdown variants they have found. These are in addition to the three original vulnerabilities and the others that have been found since.
For the vast majority of us, the risk of these exploits being a substantial issue remains quite low. They are extremely complex vulnerabilities to exploit and require a determined attacker with substantial skill. The likelihood, in my view, is that a nation state attacker would be the most likely user of these exploits rather than your run-of-the-mill cybercriminal looking for a quick buck. That means the more likely targets are service providers. That’s not just the major players like Microsoft, Amazon and Google, but data centre operators and managed service providers who provide shared services to businesses.
If you’re using a service provider to host systems for you, it’s worth asking what steps they have in place against these vulnerabilities.
While the complexity in creating tools to exploit these vulnerabilities is almost always democratised. That means a time may come when exploit kits that take advantage of the Spectre and Meltdown families of bugs will become cheaply available on the dark web and easily exploitable.