The Register reports on researchers discovering new methods for exploiting the evil CPU Meltdown and Spectre vulnerabilities:
In a research paper – “MeltdownPrime and SpectrePrime: Automatically-Synthesized Attacks Exploiting Invalidation-Based Coherence Protocols” – out this month, bit boffins from Princeton University and chip designer Nvidia describe variants of Meltdown and Spectre exploit code that can be used to conduct side-channel timing attacks.
In short, the team have discovered new ways for malware to extract sensitive information, such as passwords and other secrets, from a vulnerable computer’s memory by exploiting the Meltdown and Spectre design blunders in modern processors. The software mitigations being developed and rolled out to thwart Meltdown and Spectre attacks, which may bring with them performance hits, will likely stop these new exploits.
Crucially, however, changes to the underlying hardware probably will not: that is to say, whatever Intel and its rivals are working on right now to rid their CPU blueprints of these vulnerabilities may not be enough. These fresh exploits attack flaws deeply embedded within modern chip architecture that will be difficult to engineer out.
Before you panic: don’t. No exploit code has been released.
Although no code has yet to be released, this does not mean nation states have not developed toolsets to leverage these vulnerabilities. It it highly likely the US, UK, Russia, and China – among others – have already weaponized these exploits.
So while there is not necessarily any need to panic, there is absolutely a need to proceed with caution, especially for governments and large enterprise networks. Those networks within the crosshairs of extremely sophisticated actors will absolutely need to be prepared to defend against attacks leveraging these holes.