Meltdown and Spectre, the sequel: Google and Microsoft have discovered a new CPU flaw
Meltdown and Spectre may sound like the name of big-budget spy thrillers, but they were actually considerably more newsworthy. The security exploits heralded a dangerous new era of cyberthreats – an attack that comes via widespread CPU hardware, rather than an easily patchable software loophole.
READ NEXT: What are Meltdown and Spectre?
As hardware and software vendors worked together to try to quickly issue firmware and software fixes, researchers were concerned this was just the beginning of a new trend, and so it has come to pass. Meltdown and Spectre have a sequel, and to make matters worse, nobody has come up with a scary-sounding codename for it, so we’re left with one hell of a mouthful: Speculative Store Bypass Variant 4 (Meltdown and Spectre cover 1-3 between them.)
The bug was jointly disclosed by researchers from Microsoft and Google’s Project Zero, and although the companies claim that the risk to users is “low” and that there’s no evidence it has been used in the wild, it does impact Intel, AMD and ARM processors, meaning the net of potentially vulnerable processors is quite wide.
Like Spectre, the bug exploits modern processors’ speculative execution function, which is how CPUs make educated guesses about which data to work with as they process tasks, rather than waiting for the 100% accurate information to improve performance. Like its predecessors, the Speculative Store Bypass Variant 4 takes advantage of how the processors protect data during this process, and is theoretically able to lift information leaked out along the way, such as passwords.
If this is all a bit heavy going, the video below from Red Hat Linux may help you visualise the flaw by helping you imagine your CPU as a restaurant (no, really).
So how can Speculative Store Bypass Variant 4 be neutralised? Well, the good news is that its effectiveness was already severely lessened by steps taken by web browsers during the Meltdown crisis. As Intel security chief Leslie Culbertson writes in a blog post, the fixes for the likes of Safari, Edge and Chrome “are also applicable to variant 4 and available for consumers to use today.”
Unfortunately, to be completely safe, there’s another part of the medicine, and this one comes with side effects. A firmware update for CPUs affected will have the disappointing knock-on effect of a small performance drop, if Intel’s beta software is anything to go by. For that reason, Intel’s version will be turned off by default, leaving consumers and system administrators to choose between performance and a security.
“If enabled, we’ve observed a performance impact of approximately 2-8% based on overall scores for benchmarks like SYSmark 2014 SE and SPEC integer rate on client 1 and server 2 test systems,” writes Culbertson.
A Microsoft spokesperson revealed that the company first became aware of this variant back in November 2017, and disclosed it to industry partners as part of Coordinated Vulnerability Disclosure.” Another spokesperson told The Verge: “We’re not aware of any instance of this vulnerability class affecting Windows or our cloud service infrastructure. We are committed to providing further mitigations to our customers as soon as they are available, and our standard policy for issues of low risk is to provide remediation via our Update Tuesday schedule.”
The good news is that future processors should be immune to Meltdown, Spectre and all their sequels. For Intel’s part, both the next-generation Xeon processors (Cascade Lake) and 8th generation Intel Core processors will include built-in hardware protections when they ship later this year.