Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    NetSpectre Attack Could Enable Remote CPU Exploitation

    Written by

    Sean Michael Kerner
    Published July 27, 2018
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      Researchers from Graz University in Austria released new research on July 26 detailing how the Spectre CPU speculative execution vulnerability could be used over a remote network.

      In a 14-page report, the researchers dubbed their attack method NetSpectre, which can enable an attacker to read arbitrary memory over a network. Spectre is the name that researchers have given to a class of vulnerabilities that enable attackers to exploit the speculative execution feature in modern CPUs. Spectre and the related Meltdown CPU vulnerabilities were first publicly disclosed on Jan. 3.

      “Spectre attacks require some form of local code execution on the target system,” the Graz University researchers wrote. “Hence, systems where an attacker cannot run any code at all were, until now, thought to be safe.”

      With NetSpectre, the researchers detail a novel, albeit slow, approach to remotely exploiting Spectre on a vulnerable system. According to the researchers, the NetSpectre attack method can leak information at a rate of 15 bits per hour.

      Multiple variants and related attack approaches have been reported since the initial Spectre and Meltdown vulnerabilities were disclosed in January. Among the most recently reported variants are a pair of additional variants on May 21. To date, though, all prior variants of Spectre and Meltdown have required an attacker to first get local access to a vulnerable system.

      “NetSpectre marks a paradigm shift from local attacks, to remote attacks, exposing a much wider range and larger number of devices to Spectre attacks,” the researchers wrote. “Spectre attacks now must also be considered on devices which do not run any potentially attacker-controlled code at all.”

      The researchers reported the NetSpectre attack method to Intel, which claims that issue has already been mitigated in the firmware updates the chip maker made available for the CVE-2017-5753 Spectre variant attack.

      “NetSpectre is an application of Bounds Check Bypass (CVE-2017-5753), and is mitigated in the same manner—through code inspection and modification of software to ensure a speculation stopping barrier is in place where appropriate,” Intel wrote in a statement. “We provide guidance for developers in our whitepaper, Analyzing Potential Bounds Check Bypass Vulnerabilities, which has been updated to incorporate this method. We are thankful to Michael Schwarz, Daniel Gruss, Martin Schwarzl, Moritz Lipp, and Stefan Mangard of Graz University of Technology for reporting their research.”

      Industry Reaction

      Security experts contacted by eWEEK had mixed views about the impact of the NetSpectre disclosure.

      “Although, in practice, the threat of this new evolution of the Spectre vulnerability being exploited is low, it is something to continue watching,” Dan Hubbard, chief security architect at Lacework, told eWEEK. “Researchers continue to find flaws that could potentially lead to remote code execution in the future, and security companies and practitioners need to continue to keep up-to-date with the latest research and mitigation techniques.”

      Brajesh Goyal, vice president of engineering at Cavirin, said NetSpectre does in fact introduce a new, quite sophisticated attack vector for Spectre exploitation. In his view, the best practices to defend against the threat are to ensure proper patching and multilayer security. 

      Chris Morales, head of security analytics at Vectra, said that it’s good news that existing mitigation techniques for Spectre also apply to NetSpectre. 

      “The bad news is this is proof of research into new methods that Spectre can be used for an attack, and I’m sure there will be many more methods exposed over time,” Morales told eWEEK. “We are not in the clear on the Spectre attack, nor will we be for quite some time.” 

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and writer for several leading IT business web sites.

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×