Google and Microsoft find new strain of Spectre and Meltdown

Security researchers at Google and Microsoft have found a new variant of the Spectre security flaw that was first reported back in January this year.

Rumors of the latest CPU bug were disclosed by a German computer science publication earlier this month, but the details of the vulnerability were only officially revealed on Monday, May 21.

Called Speculative Store Bypass (or Variant 4), the new strain exploits similar vulnerabilities as the older Spectre and Meltdown bugs but, according to Intel, uses a different method to access sensitive information.

Partly patched

The new variant can be exploited by running script files (or text files which contain a sequence of commands) on programs like web browsers. If hackers manage to successfully exploit this vulnerability, they’ll be able to get sensitive information off other parts of the program, like another tab in the case of browsers.

Intel, however, has classified the new bug as medium risk, explaining in a blog post that most of the exploits it uses were fixed in the original wave of patches that were rolled out.

“We’ve already delivered the microcode update for Variant 4 in beta form to OEM system manufacturers and system software vendors, and we expect it will be released into production BIOS and software updates over the coming weeks,” said Intel’s vice president of Product Assurance and Security.

Slowing it down

As we saw with previous Spectre and Meltdown patches, these new processor firmware updates could potentially reduce system performance too. Intel says the mitigations will “be set to off-by-default”, meaning users who don’t enable the new protections should not experience the negative impacts of the patch, but obviously won't be protected either.

“If enabled, we’ve observed a performance impact of approximately 2-8 percent based on overall scores for benchmarks like SYSmark 2014 SE and SPEC integer rate on client 1 and server 2 test systems,” Culbertson said.

This puts the proverbial ball into the end user’s court, leaving them to choose between security and speed.



Powered by Blogger.