Warnings Over Fresh Processor Security Flaws

Security researchers have found eight novel flaws in computer chips that are similar to the "serious" bugs found earlier this year.

In January, computer firms rushed to fix the Meltdown and Spectre flaws that, under certain conditions, allowed attackers to steal data.

The latest discoveries let data be stolen in similar ways and have been shown to work under lab conditions.

Chip-makers are now analysing the bug reports before details are made public.

German tech news magazine c't broke the news about the eight bugs. It said several different security teams had discovered the flaws - which it dubbed Spectre Next Generation.

The teams who uncovered the Spectre NG family of flaws have followed standard bug disclosure protocols and given chip-makers and others 90 days to respond and prepare patches before they release details. The 90-day deadline on releasing information about some of the flaws expires on 7 May.

C't said Intel had classified four of the flaws as "high risk" and the rest as "medium". One of the most serious bugs could theoretically let attackers use their access to one vulnerable virtual computer to get at the server behind it, or at other similar software programs running on the same machine.

Cloud services such as Amazon's AWS could be "particularly affected" by this flaw, it said.

Intel declined to comment on c't's findings. It said reports that it was planning to formally acknowledge the existence of the bugs were premature.

"We believe strongly in the value of co-ordinated disclosure and will share additional details on any potential issues as we finalise mitigations," Intel told tech news site The Register.

Chip-maker AMD told Reuters that it was aware of reports about the fresh flaws and was examining the findings.

"Considering what we have seen with Meltdown and Spectre, we should expect a long and painful cycle of updates, possibly even performance or stability issues," Yuriy Bulygin, former Intel security researcher and head of hardware security firm Eclypsium, told Reuters.

Mr Bulygin said the publicity around Spectre and Meltdown had made chip attacks a "hot" area of research.

"Bad actors have probably already invested in such attacks by now," he said.

None of the eight flaws examined by c't is being used by cyber-criminals to attack firms and extract data.

The German report is the latest in a series from security researchers who have sought flaws similar to Meltdown and Spectre. Previously, three separate teams have released reports about bugs that let them take data under lab conditions.