NetSpectre — New Remote Spectre Attack Steals Data Over the Network
Scientists have published a paper today detailing a new Spectre-class CPU attack that can be carried out via network connections and does not require the attacker to host code on a targeted machine.
The biggest is the attack's woefully slow exfiltration speed, which is 15 bits/hour for attacks carried out via a network connection and targeting data stored in the CPU's cache. Both NetSpectre variations are too slow to be considered valuable for an attacker. This makes NetSpectre just a theoretical threat, and not something that users and companies should be planning for with immediate urgency.
Under the hood, this new NetSpectre attack is related to the Spectre v1 vulnerability (CVE-2017-5753) that Google researchers and academics have revealed at the start of the year. As such, all CPUs previously affected by Spectre v1 are believed to also be affected by NetSpectre, although academics said that existing vendor mitigations should stop NetSpectre, if they've been deployed with our OS and CPU's firmware.