Semiconductor companies Intel and Arm have acknowledged that their CPUs have been affected by the new Spectre strain after security researchers recently discovered the flaws in their processors.
Vladimir Kiriansky and Carl Waldspurger found Spectre 1.1 and Spectre 1.2 vulnerabilities which had affected both Intel and Arm processors. The researchers did not find anything AMD processors but they speculated that it might have infected their chips, too. Both new flaws are said hard-to-detect.
Spectre 1.1 is a strain from the original Spectre v1 speculative execution flaw which was first disclosed by Google Project Zero back in January. The new strain is capable of modifying data and code pointers by developing speculative buffer overflows out of speculative memory. Additionally, it can bypass the current Spectre 1 security walls.
Spectre 1.2, meanwhile, reportedly works the same as Spectre v3 since it relies on bypassing inactive read and write protection. As a result, it can overwrite read-only data, code metadata, and code pointers. Therefore, a protection that runs in a sandbox becomes futile.
Catching up with the Spectre v. 1.1 paper: "Speculative execution of wrong or impossible paths creates speculative bug class doppelgängers to the known classes of pernicious bugs breaking memory and type safety"https://t.co/vKmPbeP2kR
— Kenn White (@kennwhite) July 11, 2018
In the paper published by Kiriansky and Waldspurger, they said there is no effective statistic analysis or compiler instrumentation that can sense or weaken Spectre 1.1 at this point.
"If we must rely on software mitigations that require developers to manually reason about the necessity of mitigations, we may face decades of speculative-execution attacks."
For computer users, what this means is that Spectre 1.1 and Spectre 1.2 are highly capable of leaking sensitive data by working its way around CPUs. It would also be possible to extract passwords, crypto keys, and other credentials with the use of a malicious code.
As soon as the researchers cracked at exposing these vulnerabilities, internet search Google has been quick to respond on the browser level. By releasing a new update to the Chrome browser, it hopes to diminish the potentially dangerous impact these flaws can work on the ground.
Google has released Site Isolation on Chrome for Windows, Mac, Linux, and Chrome OS programs to protect its users in some way.