Spectre Patches Reach More CPUs as New Attack Variants Appear

Intel has released microcode patches to address the Spectre vulnerability on additional families of CPUs. Meanwhile, researchers have found a new way of implementing the Meltdown and Spectre attacks, but the variants are covered by existing patches.

“We have now released production microcode updates to our OEM customers and partners for Kaby Lake- and Coffee Lake-based platforms, plus additional Skylake-based platforms,” Navin Shenoy, the executive vice president and general manager of the Data Center Group at Intel, said in a blog post Feb. 20.

This means that Intel now has microcode patches available for its 6th, 7th and 8th generation of Intel Core processors, including the Intel Core X-series and the data center-specific Intel Xeon Scalable and Intel Xeon D CPUs.

The company first released patches in January for processors from the Haswell and Broadwell families but had to later withdraw them because they caused reboots and other unexpected system behavior. The company fixed the problem and reissued the microcode updates, along with patches for Skylake CPUs earlier this month.

The CPU microcode updates, which change the way processors work at the microarchitectural level, are only needed for one of the three vulnerabilities disclosed by researchers at the beginning of the year. The flaw is known as branch target injection, or Spectre variant 2.

Updating the CPU microcode is normally through a computer’s BIOS/UEFI, so users will have to wait for BIOS updates from their computer manufacturers. There is also a software-based mitigation for branch target injection called Retpoline that was developed by Google, but it requires recompiling individual software applications. The other two flaws, Spectre variant 1 and Meltdown, are fixed through OS or software patches.

A team of researchers from Princeton University and Nvidia have recently published a paper that describes a new way of exploiting Spectre and Meltdown. The original attacks used a Flush+Reload approach to leak sensitive data from a processor’s cache using a timing side-channel, while the new technique uses Prime+Probe. This is why the researchers call their new attack variants MeltdownPrime and SpectrePrime.

“Both of these new exploits use Prime+Probe approaches to conduct the timing attack,” the researchers said. “They are both also novel in that they are 2-core attacks which leverage the cache line invalidation mechanism in modern cache coherence protocols.”

In other words, they take advantage of the low-level mechanisms that multicore CPUs use to maintain coherence across each individual core caches. In tests, SpectrePrime proved even more accurate than Spectre, with a 99.95 percent accuracy on average compared to 97.9 percent for the old attack.

The good news is that the existing software-based mitigations that were developed for Spectre and Meltdown appear to also protect against SpectrePrime and MeltdownPrime. However, future microarchitectural mitigation for the Prime attacks will require new considerations, the researchers said.

The researchers who found the original Spectre flaws warned in their paper at the time that additional variants and exploitation methods are likely to be discovered in the future. In general, every major vulnerability attracts the attention of additional researchers to an affected component, resulting in more issues being discovered.

Third-Party Patches Available for Retired Microsoft Office Equation Editor

The removal of the aging Equation Editor from Microsoft Office last month angered a considerable number of users, particularly math teachers and those working in the scientific research field, as they were left unable to edit the equations in their old documents.

Microsoft’s decision was due to security concerns. The component, called EQNEDT32.EXE, had an old codebase that remained largely unchanged for the past 17 years and was not up to modern security standards.

In November, Microsoft fixed a critical vulnerability in the Equation Editor that could have allowed hackers to execute malicious code when users opened specially crafted documents. The company took the unusual approach of directly patching the binary file instead of fixing the issue in the source code and then recompiling the component. This prompted speculation that the company no longer has access to the source code, which might be true, given the component was actually created by another company, Design Science.

Following news of the flaw in November, a number of cyberespionage groups started exploiting it in attacks, which prompted additional security researchers to take a deeper look at the editor. This resulted in new vulnerabilities being discovered, but instead of patching them Microsoft decided to completely remove the old component with the January security update for Microsoft Office.

According to information from a Microsoft support article, users were basically left with two options: rewrite their old equations with the new equation editing functionality added in Office 2007 or use a commercial third-party application called MathType to modify equations created with the old editor.

However, there’s now a third option. Acros Security has decided to provide patches for all current and future vulnerabilities found in the Equation Editor through a technique the company calls micropatching, which involves injecting patches directly into the memory of running processes via an agent program.

The company developed micropatches for two unfixed flaws in Equation Editor and has provided information on how users can restore the component and apply those fixes via its 0patch agent for free.

“With the details we currently have about the known vulnerabilities in Equation Editor, it seems it should be easy for us to micropatch them,” the Acros researchers said in a blog post. “Should anyone find additional vulnerabilities in it (and since it’s been removed from Office, very few will bother searching), we’ll try to micropatch that too.”

That said, if someone finds a design vulnerability in the future that would be impractical to patch using this technique, the company might give up on its effort. For now, though, this is a much better alternative than avoiding to install Office security updates, which many users have probably done to keep using the old Equation Editor.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin

One thought on “Spectre Patches Reach More CPUs as New Attack Variants Appear

Comments are closed.