Security researchers from Microsoft and Google have discovered a fourth variant of the data-leaking Meltdown-Spectre security flaws impacting modern CPUs in millions of computers, including those marketed by Apple.
Variant 4 comes weeks after German computer magazine Heise reported about a set of eight Spectre-class vulnerabilities in Intel CPUs and a small number of ARM processors, which may also impact AMD processor architecture as well.
Variants 1 and 2 (CVE-2017-5753 and CVE-2017-5715), known as Spectre, and Variant 3 (CVE-2017-5754), known as Meltdown, are three processor vulnerabilities disclosed by Google Project Zero researchers in January this year.
Now, Microsoft and Google researchers have disclosed Variant 4 (CVE-2018-3639), dubbed Speculative Store Bypass, which is a similar Spectre variant that takes advantage of speculative execution that modern CPUs use to potentially expose sensitive data through a side channel.
Speculative execution is a core component of modern processors design that speculatively executes instructions based on assumptions that are considered likely to be true. If the assumptions come out to be valid, the execution continues and is discarded if not.
However, the speculative-execution design blunders can be exploited by malicious software or apps running on a vulnerable computer, or a nefarious actor logged into the system, to trick the CPU into revealing sensitive information, like passwords and encryption keys, stored in system memory and the kernel.
Unlike Meltdown that primarily impacted Intel chips, Spectre affects chips from other manufacturers as well.
Spectre and Meltdown Continues to Haunt Intel, AMD, ARM
The latest Variant 4 flaw affects modern processor cores from Intel, AMD, and ARM, as well as IBM’s Power 8, Power 9, and System z CPUs—threatening almost all PCs, laptops, smartphones, tablets, and embedded electronics regardless of manufacturer or operating system.
Linux distro giant Red Hat has also provided a video outlining the new Spectre flaw, alongside publishing a substantial guide:
Besides Variant 4, Google and Microsoft researchers have also discovered Variant 3A, dubbed “Rogue System Register Read,” a variation of Meltdown that allows attackers with local access to a system to utilize side-channel analysis and read sensitive data and other system parameters.
Intel has classified Variant 4 as “medium risk” because “many” of the exploits that Speculative Store Bypass attack would exploit were fixed by browsers like Safari, Edge, and Chrome during the initial set of patches.
“Starting in January, most leading browser providers deployed mitigations for Variant 1 in their managed runtimes—mitigations that substantially increase the difficulty of exploiting side channels in a web browser,” Intel says in its advisory. “These mitigations are also applicable to Variant 4 and available for consumers to use today.”
However, since there is the potential for new exploits, Intel and its partners (including PC makers and OEM system manufacturers) are releasing BIOS and software microcode updates for Variant 4 in the “coming weeks.”
Spectre Mitigations to Result in Another Performance Hit
The mitigation will be turned off by default, providing customers the choice of whether to enable it or not. If enabled, Intel observed a performance hit of approximately 2 to 8 percent on overall scores for benchmarks like “SYSmark 2014 SE and SPEC integer rate on client and server test systems.”
ARM and AMD are also releasing security patches for their respective chips, with ARM saying the latest Spectre variant impacts only a small number of Arm Cortex-A cores and is mitigated with an Arm-developed firmware update.
AMD also released a whitepaper, advising users to leave the fix disabled due to the inherent difficulty of performing a successful Speculative Store Bypass attack and saying:
“Microsoft is completing final testing and validation of AMD-specific updates for Windows client and server operating systems, which are expected to be released through their standard update process.”
“Similarly, Linux distributors are developing operating system updates for SSB. AMD recommends checking with your OS provider for specific guidance on schedules.”
In short, there will not be a permanent solution (rather than just mitigation) for Spectre-like exploits until Intel, and other chip makers release updated chips. So users are strongly recommended to follow good security practices that protect against malware and ensure their software is up-to-date.