Earlier this year we learned of a major exploit that was baked into almost every processor ever released, it was dubbed Spectre.
The bug caused endless headaches for the folks at Intel who did their best to fix the problem, but ended up causing even bigger problems.
Fast forward a few months and Spectre is a thing of the past, at least it was until yesterday.
The Google Project Zero team discovered a new bug that is being called Spectre Variant 4.
The variant uses speculative execution to expose data through a side-channel. This speculative execution is present in most modern CPU architectures, but Intel explains that the way Google Project Zero exploited the bug, it seemingly requires a language-based runtime environment such as a browser.
“Starting in January, most leading browser providers deployed mitigations for Variant 1 in their managed runtimes – mitigations that substantially increase the difficulty of exploiting side channels in a web browser. These mitigations are also applicable to Variant 4 and available for consumers to use today,” Intel executive vice president and general manager of Product Assurance and Security, Leslie Culbertson, said in a blog post.
Despite this inbuilt protection, Intel is delivering a microcode update for Variant 4. In fact, the update is currently in beta and should be out in the coming weeks. The Intel head went on to say that the mitigation will be switched off by default because it seems to impact system performance.
“If enabled, we’ve observed a performance impact of approximately 2 to 8 percent based on overall scores for benchmarks like SYSmark® 2014 SE and SPEC integer rate on client and server test systems,” Culbertson said.
As for AMD, the firm also already has a fix for Variant 4.
“Microsoft is completing final testing and validation of AMD-specific updates for Windows client and server operating systems, which are expected to be released through their standard update process. Similarly, Linux distributors are developing operating system updates for SSB. AMD recommends checking with your OS provider for specific guidance on schedules,” AMD said in a security update.
Truth be told the complexity of exploiting the Variant 4 vulnerability means a miscreant would really have to go out of their way to “hack” you.
That said it’s still a good idea to keep all your software up to date, just in case.
[Image – CC 0 Pixabay]