plans to release patches for a new vulnerability affecting its chips, the second time this year it has addressed flaws known as Spectre and Meltdown. The fix is unlikely to be the last.
Inspired by the January disclosure of the bugs, security researchers are digging into chip attacks and uncovering even more flaws, said
an independent cryptography expert who with others discovered Spectre.
Spectre and Meltdown sent the world’s chip makers scrambling to fix design flaws long present in most of the world’s processors. The latest discovery, disclosed Monday by Intel,
Google and others, is a new variant on Spectre.
Advanced Micro Devices
and ARM, owned by
, said their products also are affected.
Security researchers say this latest bug, a twist of the Spectre flaw called Variant 4, is complex, making it less of a threat since it is more difficult for hackers to exploit than the Meltdown bug. But it won’t be the last such discovery, they say.
“There are going to be lots more vulnerabilities found over the next five years; no question about it,” Mr. Kocher said.
Research into hardware attacks has heated up in recent years and was given a further boost from the publicity generated by Spectre and Meltdown.
At the annual security and privacy conference for the Institute of Electrical and Electronics Engineers, held in San Francisco this week, there were nearly 30% more papers submitted covering computer hardware security than last year, said Bryan Parno, a Carnegie Mellon University professor and one of the conference’s organizers.
The Spectre and Meltdown discoveries “will likely draw additional interest to the area” of hardware hacking, he said.
An Intel spokesman declined to comment on whether the company was expecting to patch more hardware flaws in the future. In a Monday blog post, Intel wrote: “We know that new categories of security exploits often follow a predictable life cycle, which can include new derivatives of the original exploit.”
While Spectre and Meltdown affect most of the world’s chips, they have been a particular problem for Intel, which commands 95% of the market for server and personal-computer processors.
There are no known reports of Spectre and Meltdown attacks being used by criminals, but security researchers are worried they can be used to steal data such as passwords from cloud-computing servers or desktop PCs surfing the internet.
Intel has addressed Spectre and Meltdown with software updates, but the company expects to fix these bugs at the chip level in new processors released later this year. Intel doesn’t expect the problem to have a material impact on its finances.
While there are more bugs likely to come, not every discovery will be on par with Meltdown and Spectre, said Ryan Permeh, a former Intel security architect who is now chief scientist with security vendor Cylance Inc.
“These things happen every three-to-five years,” he said.
—Ted Greenwald contributed to this article.
Write to Robert McMillan at [email protected]
Source : WSJ