In their research paper with the catchy title Speculative Buffer Overflows: Attacks and Defenses,Vladimir Kiriansky and Carl Waldspurge said that the new Spectres take advantage of the process of speculative execution— a feature found in all modern CPUs that has the role of improving performance by computing operations in advance and later discarding unneeded data.
They said a Spectre 1.1 attack uses speculative execution to deliver code that overflows CPU store cache buffers in order to write and run malicious code that retrieves data from previously-secured CPU memory sections. Spectre 1.1 is similar to the Spectre variant 1 and 4, but the two researchers who discovered the bug say that "currently, no effective static analysis or compiler instrumentation is available to generically detect or mitigate Spectre 1.1".
The pair said that Spectre 1.2, can be exploited to write to CPU memory sectors that are normally protected by read-only flags.
"As a result [of malicious Spectre 1.2 writes], sandboxing that depends on hardware enforcement of read-only memory is rendered ineffective", Kiriansky and Waldspurge said.
The exploit, similarly to most previous Meltdown and Spectre bugs, mean both vulnerabilities require the presence of malicious code on a user's PC, code responsible for running the attack. This somewhat limits the bug's severity, but doesn't excuse sysadmins who fail to apply patches when they'll become available.
Microsoft, Oracle, and Red Hat have said they are still investigating if Spectre 1.1 affects data handled by their products and are looking into ways to mitigate the risk at the software level.
Intel has also paid the research team a bounty of $100,000 for discovering this bug part of the company's recently launched bug bounty program, which Intel set up following the disclosure of the original Meltdown and Spectre vulnerabilities. This is one of the highest bug bounty rewards known to date.