We continue to discuss the Meltdown and Spectre vulnerabilities, as several companies, including Microsoft, Google, AMD, ARM, Intel, and Red Hat, have jointly revealed details of a new Spectre variant 4, which will require mitigations that will result in loss of performance.
New Spectre variant will cause loss of performance
The US-CERT has detailed information on two new Spectre variants, namely 3A and 4. The first was originally documented by the ARM in January, and allows attackers with local access to a machine to use side channel analysis, and read confidential information and other system parameters.
As for variant 4, it has been labeled “Speculative Store Bypass”, and allows those with malicious intent to read previous system values from a CPU stack, or other memory locations. If an attack is successful, the attacker will be able to arbitrarily read privileged data, and speculatively execute previous system commands.
Intel says it has offered microcode updates for variants 3A and 4 in the form of beta to equipment manufacturers, and that customers should expect a 2-8% loss in performance. This new update is expected to be deployed in the coming weeks.
On the other hand, Microsoft says it has not yet determined a vulnerable code pattern in its products but will investigate further and release updates if necessary. Companies are now working together in a more coordinated manner to jointly disclose vulnerabilities and release mitigations for customers, particularly after all the problems experienced in January.
As for AMD, it is mentioned that its processors are not vulnerable to variant 3A, but nothing is said about variant 4.