Just when we thought that we were past the myriad of Spectre and Meltdown CPU flaws, Intel (along with Google and Microsoft) has today shed light on a new strain of Spectre-style vulnerabilities called Speculative Store Bypass or Variant 4. While close to eight new variants of Spectre were discovered recently, this is the fourth one to be disclosed by the popular chipmaker.
Similar to the Spectre vulnerability, this exploit also uses speculative execution to affect most modern CPUs and can potentially expose private data through a side channel, says Intel in its blog post. The attacks concerning the same are known to work only in a ‘language-based runtime environment’ such as a web browser but the company is not aware of a successful browser exploit.
Intel has classified this Variant 4 exploit as a medium-risk vulnerability and added that it shouldn’t affect most users as mitigations rolled out for the ‘first strain’ of Spectre exploit would work against this as well. However, the chipmaker has worked with its OEM partners and has already pushed the beta microcode update for Speculative Store Bypass to them. In the blog post, it adds,
We’ve already delivered the microcode update for Variant 4 in beta form to OEM system manufacturers and system software vendors, and we expect it will be released into production BIOS and software updates over the coming weeks.
While this update will help mitigate the Variant 4 vulnerability, it would come at the cost of performance — similar to previous patches. Intel has seen a performance impact of about 2 – 8%.
Thus, the firmware update will set Speculative Store Bypass protection to off-by-default to ensure that it does not hinder productivity. It will, however, be at the cost of personal security. Talking about its efforts, Intel’s Executive VP of Product Assurance and Security says,
Research into side-channel security methods will continue and likewise, we will continue to collaborate with industry partners to provide customers the protections they need.
As for the future, Intel has already started redesigning its processors to avoid Spectre and Meltdown-like vulnerabilities. It’s even adding built-in hardware protections in its next-gen Intel Core and Xeon processors.