The fallout from the Spectre and Meltdown CPU vulnerabilities continue to send ripples through the technology industry, and Intel is suffering more than most. Its chips were vulnerable to all three variants of these attacks, and its fixes have been heavily criticized for introducing new bugs and doing a poor job of protecting users. Now, Microsoft has issued a rare out-of-cycle patch for Windows systems that removes Intel’s Spectre patch. That has to be embarrassing for Intel.
When we talk about the attack “variants” we’re referring to specific vulnerabilities. Variant 3 is Meltdown, and Variant 1 and Variant 2 are Spectre. Of these three, Variant 2 (CVE-2017-5715) is proving to be quite difficult to pin down for Intel. This Spectre variant is what’s known as a branch target injection, which could allow an attacker to execute arbitrary code on a system. Needless to say, that’s a very bad thing.
Lucian Armasu, 14 Feb. 2018, tom’s HARDWARE, Intel Expands Bug Bounty Program to Include Side-Channel Attacks, here.
New updates to the Intel Bug Bounty program include:
- Shifting from an invitation-only program to a program that is open to all security researchers, significantly expanding the pool of eligible researchers.
- Offering a new program focused specifically on side channel vulnerabilities through Dec. 31, 2018. The award for disclosures under this program is up to $250,000.
- Raising bounty awards across the board, with awards of up to $100,000 for other areas.