Google and Microsoft discover new Spectre variant

But patching Speculative Store Bypass flaw could hit performance by up to 8%, warns Intel

A new Spectre and Meltdown variant has been discovered by Google and Microsoft researchers.

The newly-revealed flaw, called Variant 4, or Speculative Store Bypass, affects processors from Intel, ARM and AMD, meaning hundreds of millions of devices are potentially impacted, though no exploits have been seen in the wild.

Intel said that like Spectre, the variant relies on speculative execution, a feature common to most modern processor architectures, to potentially expose certain kinds of data through a side channel. An advisory by US-CERT said that the vulnerability could allow an attacker to access and read older CPU memory either in the CPU stack or other memory locations.

Advertisement - Article continues below

"An attacker who has successfully exploited this vulnerability may be able to read privileged data across trust boundaries," Microsoft Security Center's Security Advisory read.

Hackers could exploit the bug by running JavaScript in web browsers, producing native code that could give rise to an instance of Variant 4 (CVE-2018-3639). Microsoft said that it has strengthend its Edge and Internet Explorer browsers to increase the difficulty of successfully creating such a side channel. Similar steps have been taken for other browsers.

While Intel said some of the Variant 4 exploits were mitigated by previous patches, it has also delivered a microcode update to address the new variant in beta form to OEMs and software vendors, expecting it to be released into production BIOS and software updates over the coming weeks.

Advertisement
Advertisement - Article continues below

However, the patch will be turned off by default, with Intel warning of a 2% to 8% performance hit for those that do enable it.

Advertisement - Article continues below

"We expect most industry software partners will likewise use the default-off option," said Leslie Culbertson, Intel's executive vice president and general manager of product assurance and security.

ARM noted in a blog post that "this method is dependent on malware running locally which means it's imperative for users to practice good security hygiene by keeping their software up-to-date and avoid suspicious links or downloads".

According to blog posts by Google's Project Zero and the , a flaw in the chips can The vulnerability affects processors from Intel, AMD, and ARM.

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now
Advertisement

Recommended

Visit/security/malware/355093/evasive-malware-threats-are-surging
malware

Evasive malware threats doubled in 2019

24 Mar 2020
Visit/security/malware/28083/the-five-best-free-malware-removal-tools
Security

Best free malware removal tools 2019

2 Mar 2020
Visit/antivirus/28144/best-antivirus
antivirus

Best antivirus for Windows 10

3 Sep 2019

Most Popular

Visit/infrastructure/server-storage/355118/hpe-warns-of-critical-bug-that-destroys-ssds-after-40000-hours
Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020
Visit/software/video-conferencing/355138/zoom-beaming-ios-user-data-to-facebook-for-targeted-ads
video conferencing

Zoom beams iOS user data to Facebook for targeted ads

27 Mar 2020
Visit/software/355113/companies-offering-free-software-to-fight-covid-19
Software

These are the companies offering free software during the coronavirus crisis

25 Mar 2020
Visit/security/phishing/355120/hackers-pose-as-three-to-exploit-high-data-demand
phishing

Hackers target Three customers with "sophisticated" phishing scam

26 Mar 2020