Date
21 October 2018
The new flaws, dubbed Spectre-Next Generation, could allow attackers to access personal data such as passwords and encryption keys. Photo: Reuters
The new flaws, dubbed Spectre-Next Generation, could allow attackers to access personal data such as passwords and encryption keys. Photo: Reuters

Germany urges chip and hardware makers to tackle processor flaws

Germany’s federal cyber agency called on chip and hardware makers to address new vulnerabilities discovered in computer central processing units, but said no complete fix was possible at the moment, Reuters reports.

The BSI said its analysis showed the new flaws, dubbed Spectre-Next Generation, resembled the Meltdown and Spectre bugs discovered in January and could allow attackers to access personal data such as passwords and encryption keys.

While no new attacks were known outside laboratories, there was a risk that attackers could develop new methods based on detailed information that had been disclosed, it added.

“No complete eradication of the flaws is possible at the moment; the risk can only be minimized,” the agency said in a statement.

Temporary measures were needed since vulnerable processors and affected computer systems could only be swapped out in the longer term, BSI said.

The agency also urged cloud and virtual solution providers to immediately investigate the impact of the flaws on their products, and respond along with the manufacturers of system components.

“Customers should be informed about the measures taken and the remaining risks,” it said.

A German computing magazine called c’t reported earlier this month that researchers had found eight new flaws that resembled the Meltdown and Spectre bugs.

It said Intel Corp. planned to patch the flaws and some chips designed by ARM Holdings, a unit of Japan’s SoftBank, might be affected. Work was continuing to establish whether Advanced Micro Devices chips were vulnerable.

BSI did not name any manufacturers involved.

Intel has not addressed the c’t article directly but said in a statement earlier this month that it uses a process called “coordinated disclosure” in which security researchers and companies agree to not release information about bugs until patches are ready.

“We believe strongly in the value of coordinated disclosure and will share additional details on any potential issues as we finalize mitigations,” the company said in the statement. “As a best practice, we continue to encourage everyone to keep their systems up-to-date.”

– Contact us at [email protected]

RC/CG

EJI Weekly Newsletter

Please click here to unsubscribe