SoylentNews is people
SoylentNews
Heise.de reports that eight new security flaws have been reported to Intel by several teams of researchers:
All eight are essentially caused by the same design problem – you could say that they are Spectre Next Generation.
... Each of the eight vulnerabilities has its own number in the Common Vulnerability Enumerator (CVE) directory and each requires its own patches. It is likely that each vulnerability will receive its own name. Until then, we will jointly call these flaws Spectre-NG in order to distinguish them from the previously uncovered issues.
So far we only have concrete information on Intel's processors and their plans for patches. However, there is initial evidence that at least some ARM CPUs are also vulnerable. Further research is already underway on whether the closely related AMD processor architecture is also susceptible to the individual Spectre-NG gaps, and to what extent.
...Intel itself classifies four of the Spectre-NG vulnerabilities as "high risk"; the remaining four are rated as "medium". According to our own research, risks and attack scenarios at Spectre-NG are similar to those at Spectre – with one exception.
One of the Spectre-NG flaws simplifies attacks across system boundaries to such an extent that we estimate the threat potential to be significantly higher than with Spectre. Specifically, an attacker could launch exploit code in a virtual machine (VM) and attack the host system from there – the server of a cloud hoster, for example. Alternatively, it could attack the VMs of other customers running on the same server.
(Score: 2) by c0lo on Tuesday May 08 2018, @10:11PM (1 child)
Is it too early to ask when is the next round of server reboots [soylentnews.org] scheduled?
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 4, Informative) by martyb on Wednesday May 09 2018, @02:30AM
Excellent question! In a word: Yes.
In more words, you can keep an eye out on the Linode Status Page [statuspage.io] for advance notice as to when they intend to perform maintenance.
To their credit, Linode learned of the initial Meltdown/Spectre vulnerabilities at the same time as the rest of us [arstechnica.com]. As soon as they were able, Linode rolled out patches for their servers back in January. See our story about that reboot schedule [soylentnews.org]. And, they ran into the same host of problems with bad patches and server instability as the rest of us. This likely guided their more measured approach to the rolling out of updates that are currently being applied. I would expect Linode to adopt a similar approach for any other forthcoming patches &mdash get them out as quickly as possible so as to protect their clients' systems, but with as much vetting as possible so as to minimize any disruption.
You can be certain that when we learn more about any future reboots required as a result of applying fixes for these, new, just-now-revealed vulnerabilities, we will let the community know in a timely manner, as we have done here.
Wit is intellect, dancing.