The news sounds bad at first blush: Researchers from Nvidia and Princeton University have discovered fresh ways to exploit the Meltdown and Spectre CPU vulnerabilities present in every modern computer processor. But while the new MeltdownPrime and SpectrePrime attacks prove that the initial exploits aren’t necessarily the only way to trigger the vulnerabilities lurking inside chips, everyday computer users shouldn’t freak out about them.
The new vulnerabilities pit the multiple CPU cores inside modern processors against each other and take advantage of the way memory cache access works in multi-core systems. The Register’s synopsis and the research paper have more in-depth technical details if you want them. Like Meltdown and Spectre, a successful attack can extract sensitive information, including passwords.
Now for the good news: The researchers didn’t release exploit code for MeltdownPrime and SpectrePrime. Better yet, the patches already planned for Meltdown and Spectre should protect against these new variants, too. All major operating systems released Meltdown protections as soon as the exploits were announced, Intel is starting to roll out CPU firmware updates after a disastrous first attempt, and industry leaders are tweaking compilers and how code is handled to harden other software against Spectre.
Safeguarding against Meltdown, Spectre, and these new Prime variants isn’t straightforward though, as the processor flaws touch every aspect of your PC. PCWorld’s tutorial on how to protect your PC against Meltdown and Spectre can walk you through the complicated patching process. Researchers are starting to see malware probing the vulnerabilities in the wild, so you’ll also want to take additional steps to keep your data safe. Invest in solid data backup and Windows antivirus solutions if you haven’t already—they’re must-haves in today’s computing world.
MeltdownPrime and SpectrePrime might complicate tomorrow’s computing world, though. Intel and AMD are building hardware fixes for the original CPU vulnerabilities into their next generations of processors, but these fresh attacks won’t get stopped by those, the researchers say.
“We believe that microarchitectural mitigation of our Prime variants will require new considerations. Where Meltdown and Spectre arise by polluting the cache during speculation, MeltdownPrime and SpectrePrime are caused by write requests being sent out speculatively in a system that uses an invalidation-based coherence protocol.”
Coincidentally, Intel expanded its bug bounty program yesterday, introducing a special program for “side-channel” attacks like these that pay up to $250,000 for disclosure of new exploits.
Stay patched, friends—but don’t panic.