Spectre security drama far from over

$100k US paid for finding another bug

A few months ago the Spectre security vulnerability was all over the news of all the different tech websites out there. In a nutshell, spectre is the result of branch mispredictions from which a hacker can benefit by gaining access to private data. In the meantime Intel has been working under high pressure to fix as many bugs and issues related to Spectre and one way of doing that was with a bonus to their community in the shape of their Bug Bounty Program.

Over the period of the past few months it happened every so often that Intel paid five figure USD amounts to members of their community, who helped finding more security related issues. Yesterday marks the first time that the CPU giant paid $100’000 US to a member who pointed to the vulnerability, which is now called “Spectre 1.1” and referred to by Intel using the code CVE-2018-3693.

Until the 10th of July Intel has reported no less than twelve new security related issues, of which the company found six on its own. In all cases either firmware or software patches have been released. One bug is related to the UEFI in Xeon processors, which had to be fixed on the hardware side. According to Intel a reference fix was provided in the pre-production Intel Scalable processors Refresh.

Apparently Spectre has caused caused a lot of discussion in the hardware industry and not just Intel has lost a lot of trust from its customer base. Currently one of Intel’s strategies to regain that trust - at least partially - is by introducing a quarterly patchday. In the case of severe security vulnerabilities there will also be hot fixes. Although this sounds nice in theory and it’s certainly catchy communication, the actual patching is not without issues since all those microcode updates have to be uploaded to the processor through the BIOS/UEFI and not the operating system. Judging by the current state of affairs it would definitely make sense for Intel to find a way to roll out all the current as well as the upcoming patches through the operating system.

Source: ComputerBase

News by Luca Rocchi and Marc Büchel - German Translation by Marc Büchel - Italian Translation by Francesco Daghini

Previous article - Next article
comments powered by Disqus
Spectre security drama far from over - Intel - News - ocaholic