Google and Microsoft disclose new Variant 4 Meltdown, Spectre CPU flaw


SpectreNG

Back in the start of 2018, Meltdown and Spectre CPU flaw affected most of the CPUs including Intel, ARM, and others. Months after the detection, Google’s Project Zero’s (GPZ) and Microsoft have discovered another new form of Spectre-Meltdown CPU flaw;  Speculative Store Bypass (variant 4).

The latest vulnerability is similar to Spectre and exploits speculative execution that modern CPUs use. However, Intel claims that they have not seen any reports of this method being used in real-world exploits so far. Browsers like Safari, Edge, and Chrome were all patched for Meltdown earlier this year, and according to Intel, these mitigations are also applicable to variant 4 and available for consumers to use today.

Similar to Spectre, the new Variant 4 will also affect performance upon fixing it with firmware updates. Intel says that it has already delivered the microcode update for Variant 4 in beta to OEMs and system software vendors, and the broad reach is expected to be available in the coming weeks. This update would set the Speculative Store Bypass protection to off-by-default, so users won’t notice any performance impacts.

However, if enabled, a noticeable performance impact of approximately 2 to 8% is seen based on overall scores for benchmarks like SYSmark 2014 SE and SPEC integer rate on client and server test systems. This leaves users with two choices; security or performance and will come down to individual systems and servers. The Variant 4 affects a different part of the speculative execution process, meaning the data inside the “store buffer” inside a CPU’s cache. This same update also includes microcode that addresses Variant 3a, says Intel.

Leslie Culbertson, Intel’s security chief said:

Protecting our customers’ data and ensuring the security of our products remain critical priorities for me and everyone at Intel. Research into side-channel security methods will continue and likewise, we will continue to collaborate with industry partners to provide customers the protections they need. Indeed, we are confident that we will be able to develop mitigations for Intel products for any future side-channel issues.

Source