4 stories
today

Microsoft, Google reveal fourth variant of Meltdown and Spectre exploit, Intel promises new security patches

It looks that the Meltdown and Spectre security flaws could continue to haunt Intel and other chip makers for quite a long time. Yesterday, Microsoft, Google and Intel jointly revealed a fourth variant of the Meltdown and Spectre vulnerabilities, which according to Intel affect “many modern microprocessor architectures, including but not limited to Intel’s.”

This new variant of the Spectre and Meltdown security flaws is called “Speculative Store Bypass,” and it could allow attackers to gather sensitive data on your PC. Here is how intel described the vulnerability:

Variant 4 uses speculative execution, a feature common to most modern processor architectures, to potentially expose certain kinds of data through a side channel. In this case, the researchers demonstrated Variant 4 in a language-based runtime environment.  While we are not aware of a successful browser exploit, the most common use of runtimes, like JavaScript, is in web browsers.

According to the chip maker, previous security updates for the most popular web browsers already offer some protection against this new Variant 4. However, Intel still plans to offer additional mitigation through a combination of microcode and software updates, and the bad news is that the firmware updates will negatively impact performance. Intel has already made beta microcode updates available for its various industry partners, and it expects them to roll out over the coming weeks. However, the mitigation will be turned off by default and it will be up to PC manufacturers to enable it or not.

“Research into side-channel security methods will continue and likewise, we will continue to collaborate with industry partners to provide customers the protections they need,” Leslie Culbertson, executive vice president and general manager of Product Assurance and Security at Intel Corporation. It’s important for Intel to get prepared for future Meltdown and Spectre variants that have yet to be discovered, but the company is also announced earlier this year that its upcoming Xeon and 8th gen Core chips will have built-in protections against Meltdown and Spectre.

Further reading: ,