Two more Spectre-related branch prediction processor vulnerabilities were discovered by a team of researchers from the College of William and Mary, Carnegie Mellon, the University of California Riverside, and Binghamton University. The new vulnerabilities are called BranchScope and Spectre 2:
BranchScope and Spectre 2 both take advantage of different parts of the branch predictor. Spectre 2 relied on a part called the Branch Target Buffer (BTB)—the data structure within the processor that records the branch target. BranchScope, instead, leaks information using the direction of the prediction—whether it's likely to be taken or not—which is stored in the pattern history table (PHT).
For Spectre 2, an attacker primes the BTB, carefully executing branch instructions so that the BTB has a predictable content with a target instruction that will, if speculatively executed, disturb the processor's cache in a detectable way. The victim program then runs and makes a branch. The attacker then checks to see if the cache was disturbed; the measurement of that disturbance leaks information.
More at ARS Technica. Other attacks will most likely follow in the coming weeks, months, and years. Hardware makers are moving as fast as they can to make processors more secure, but speculative execution will remain an issue for a long time to come.