Spectre and Meltdown are a pair of chip-level security bugs that exploit something called "speculative execution," through which chips boost performance by making shrewd guesses about which computer operations are performed together.
Spectre and Meltdown represented a new class of never-seen-before attacks, and as news of their existence percolated through security circles, it sparked a scavenger hunt for more errors of their sort, with many more coming to light.
Intel calls these "Microarchitectural Data Sampling" (MDS) attacks, and now a team of industry and academic researchers (some of whom worked on the original Spectre/Meltdown papers) have gone public with a new set of MDS bugs that Intel was given advance notice of (some of these bugs were discovered more than a year ago). All but the most recent Intel chips are vulnerable to these attacks (you can check your system here).
The researchers have dubbed the new defects CPU Fail, and they have disclosed three CPU Fail attacks: Zombieload, RIDL, and Fallout, which they class as "less serious than Meltdown but worse than Spectre."
Intel and the researchers disagree about the seriousness of this defect. Intel says it's not a very big deal, while the researchers say it's pretty urgent.
There's likely a lot more of this to come, too: researchers are just getting to grips with the possibilities of MDS attacks.
"It's kind of like we treat the CPU as a network of components, and we basically eavesdrop on the traffic between them," says Cristiano Giuffrida, one of the researchers in the VUSec group at Vrije Universiteit Amsterdam who discovered the MDS attack. "We hear anything that these components exchange."
"In essence, [MDS] puts a glass to the wall that separates security domains, allowing attackers to listen to the babbling of CPU components," reads one line of a VUSec paper on the flaws, which will be presented next week at the IEEE Security and Privacy conference.
Meltdown Redux: Intel Flaw Lets Hackers Siphon Secrets from Millions of PCs [Andy Greenberg/Wired]