Seven new Meltdown and Spectre attacks found impacting CPUs

• New Meltdown and Spectre attacks affecting CPUs built by AMD, ARM and Intel have been discovered.
• These new attacks could allow cybercriminals to access CPU memory, thus stealing information pertaining to programs and the operating system.

Multiple new Meltdown and Spectre attacks that impact CPUs built by AMD, ARM and Intel have been discovered. In total, seven new attacks have been discovered, out of which, two are Meltdown variants and the rest are variants of the Spectre attack.

These new attacks could allow cybercriminals to access CPU memory, thus stealing information pertaining to programs and the operating system. A team of nine academics demonstrated the new attacks in their latest research paper titled, "A Systematic Evaluation of Transient Execution Attacks and Defenses".

The researchers said that they found these new vulnerabilities while performing “a sound and extensible systematization of transient execution attacks" on the CPUs.

New Meltdown attacks

The first Meltdown attack emerged in January this year. Since then, several new variants have been found by researchers. Foreshadow (or L1TF), Variant 1.2, Variant 3a and LazyFP are some of the variants discovered over the past few months.

The two new Meltdown attacks that the researchers have discovered are

• Meltdown-BR - exploits an x86 bound instruction on Intel and AMD.
• Meltdown-PK - bypasses memory protection keys on Intel CPUs.

New Spectre attacks

Just like Meltdown, the Spectre flaw was also discovered during the same time. Spectre NG, SpectreRSB, and NetSpectre are some of the variants discovered over the last few months.

Researchers conducted an extensive investigation to understand how these Spectre attack variants worked and which part of the CPU’s internal architecture was affected. Based on the research, they found three new Spectre attacks that exploit the Pattern History Table mechanism and two other Spectre attacks that abuse the Branch Target Buffer.

The research team has notified the three CPU vendors about the new Spectre and Meltdown attacks. However, Intel has dismissed the researchers statement on deploying of mitigation process.

“The vulnerabilities documented in this paper can be fully addressed by applying existing mitigation techniques for Spectre and Meltdown, including those previously documented here, and elsewhere by other chipmakers. Protecting customers continues to be a critical priority for us and we are thankful to the teams at Graz University of Technology, imec-DistriNet, KU Leuven, & the College of William and Mary for their ongoing research,” Intel said, ZDNetreported.