In response to news of the discovery of Spectre NG, with 8 new variations on the Spectre vulnerability, IT security experts commented below.
Craig Dods, Chief Security Architect at Juniper Networks:
“Assuming they prove to be legitimate, the group of vulnerabilities coined as “Spectre-NG” may pose significantly higher risks to cloud operators and multi-tenant environments than the original variants of Spectre. The information provided to the German technology site Heise seems to imply that a few of the eight new vulnerabilities facilitate VM-escape mechanisms, allowing a threat actor to compromise the hypervisor and/or other tenants from their own VM, apparently with little-to-no effort. As a point of reference, Spectre v1/v2 were quite difficult to use for the purposes of VM-escape within cloud environments. The details that are available for “Spectre-NG” hint that it’s incredibly easy to use, but we won’t know for sure until we can see what the actual problems are.”
Satya Gupta, CTO and Co-founder at Virsec:
“It’s almost inevitable that new variants of Spectre will emerge. Now that the core vulnerabilities of speculative execution have been publicized, many well-funded hacking groups globally are racing to find new ways to exploit them. These are advanced attacks exploiting small, but repeatable flaws that skip important security controls in literally billions of processors. While not all applications will be vulnerable and some compensating controls will be effective, the attackers are relentless and will continuously search for cracks in other defenses that allow Spectre to be exploited.”