Microsoft has released a warning about a new variant of the Spectre and Meltdown security flaws, which vulnerability is present in Intel, Arm and AMD chips used in many computers and mobile devices.
The flaw tagged "Variant 4" is the latest variant of the same security vulnerabilities that were first revealed in January, though it's mode of operation is now quite different.
As the moniker Spectre itself, it's like observing a ghost in the machine. The vulnerabilities can be used to read the content of memory across a trusted boundary, thereby leading to information disclosure, and there are multiple vectors by which an attacker could trigger the vulnerabilities depending on the environment.
While personal data can be discerned by watching the cache being updated by the processor's speculative execution engine.
And the speculative-execution design blunders can be exploited by malicious software running on a vulnerable device to extract personal information, such as username and passwords, from protected kernel or application memory.
This fourth variant (CVE-2018-3639) of Spectre security flaws, trails the immediate past variant 3 (CVE-2017-5754), which came after both Variants 1 and 2 known as Spectre (CVE-2017-5753) and (CVE-2017-5715), respectively.
Microsoft, however claims that it is not aware of any exploitable code patterns of this vulnerability class in its software or cloud service infrastructure, but said they are continuing the investigations.
As Microsoft continue to work with industry partners to improve mitigations against this class of vulnerabilities, the best advice had always been to keep you machine's software up-to-date.
A New variant of the Spectre and Meltdown security flaws discovered
Microsoft has released a warning about a new variant of the Spectre and Meltdown security flaws, which vulnerability is present in Intel, Arm and AMD chips used in many computers and mobile devices.
The flaw tagged "Variant 4" is the latest variant of the same security vulnerabilities that were first revealed in January, though it's mode of operation is now quite different.
As the moniker Spectre itself, it's like observing a ghost in the machine. The vulnerabilities can be used to read the content of memory across a trusted boundary, thereby leading to information disclosure, and there are multiple vectors by which an attacker could trigger the vulnerabilities depending on the environment.
While personal data can be discerned by watching the cache being updated by the processor's speculative execution engine.
And the speculative-execution design blunders can be exploited by malicious software running on a vulnerable device to extract personal information, such as username and passwords, from protected kernel or application memory.
This fourth variant (CVE-2018-3639) of Spectre security flaws, trails the immediate past variant 3 (CVE-2017-5754), which came after both Variants 1 and 2 known as Spectre (CVE-2017-5753) and (CVE-2017-5715), respectively.
Microsoft, however claims that it is not aware of any exploitable code patterns of this vulnerability class in its software or cloud service infrastructure, but said they are continuing the investigations.
As Microsoft continue to work with industry partners to improve mitigations against this class of vulnerabilities, the best advice had always been to keep you machine's software up-to-date.
No comments