Security researchers Vladimir Kiriansky and Carl Waldspurger have uncovered two buffer-overflow derivatives of the Spectre microprocessor bug.
In a paper describing the flaws – dubbed Spectre 1.1 and Spectre 1.2 – the researchers wrote: “We have explored new speculative-execution attacks and defences, focusing primarily on the use of speculative stores to create speculative buffer overflows. The ability to perform arbitrary speculative writes presents significant new risks, including arbitrary speculative execution. Unfortunately, this enables both local and remote attacks.”
The researchers warned that the new attack can impact systems even if they have already been patched against the original Spectre flaw. Kiriansky and Waldspurger said an exploit of the new flaw would enable attackers to bypass recommended software mitigations for previous speculative-execution attacks.
They called on the IT community to develop generic fixes for the flaw. “Given the heightened public awareness due to Spectre and related attacks, there is higher consumer and business acceptance of previously unthinkable performance overheads for security protections,” said the researchers. “We hope this opportunity will be used to raise the bar for strong generic mitigations against both speculative and classic buffer overflows.”
Rather than adding to the classic buffer overflow patch burden, the researchers said: “We are confident that future secure hardware and software will be able to retain the performance benefits of speculative-execution processors.”
Cyber security firm eSentire said that because Spectre variant 1.2 enables would-be attackers to run code in pieces of memory that were meant to be read-only protected, the newly discovered bug opens up areas for attack that have not been seen before.
Given that Spectre variants affect a huge number of devices, Spectre variants 1.1 and 1.2 affect both Intel and ARM processors. AMD processors may be affected too, said eSentire. “This means that most modern operating systems are susceptible,” it added. “Security patches have not yet been released for either new Spectre variant.”