Microsoft and Google teamed up to disclose a new security vulnerability in CPUs. The companies went into detail by adding that the new flaw is similar to the ‘Meltdown’ and ‘Spectre’ security flaws that were discovered earlier this year. The research teams at both the companies have termed the new flaw as “Speculative Store Bypass (Variant 4)”. Another name given to the flaw is “Side-Channel Vulnerability Variant 4” as noted on the United States Computer Emergency Readiness Team (US-CERT) as part of the security alert that the federal organization issued.
This exploit uses the “speculative execution” that the modern CPUs use to function as reported by The Verge. This would allow anyone who knows what they are doing to steal information directly from the memory without any indication to the end user. According to the report, Web browsers such as Google Chrome, Microsoft Edge, and Apple Safari were already patched against “Meltdown” weeks after the security flaws were discovered. Chipset maker Intel added that all the patches applied to fight “Meltdown” were also applicable for variant 4 and they are available for users who did not install the patch in the first place.
Watch: OnePlus 6 Marvel Avengers Edition First Look
However, the new variant 4 also requires a firmware upgrade for the affected CPUs. This also means that it would affect the performance of the said CPUs. According to the report, Intel has already delivered beta microcode updates for the variant 4 to all its CPU vendors adding that the fixes will “be more broadly available in the coming weeks”.
Regarding the impact on performance after applying the latest firmware update, Intel added that there would be a 2-8 percent decrease. However, most users should not be able to observe the impact as the updates will come with “Speculative Store Bypass protection” disabled by default. This will allow users and system hardware administrators in companies to either choose security or go for performance instead. This will put them in a similar spot of making decisions as to when it came down to applying firmware updates to patch against Spectre.
Microsoft added that it first discovered the flaw back in November 2017 and disclosed it to its industry partners. The company added that it is not aware of any impact caused by variant 4 to its Windows or cloud service infrastructure. If you think about all the problems that Intel has faced this year and are wondering what the company is doing. Then worry not as the company is already working on a set of built-in hardware protection against such attacks with its next generation of server-grade Xeon processors and 8th generation Intel Core chips that will be launched in the second half of 2018.