Spectre Lives: Intel, Google and Microsoft confirm new CPU vulnerability
- 22 May, 2018 09:29
German computing magazine C't and later confirmed by Intel, the variant of the Meltdown/Spectre vulnerability that plagued security vendors in late 2017.
According to Intel's executive vice president and general manager of Product Assurance and Security at Intel Corporation Leslie Culbertson, "Like the other GPZ variants, Variant 4 uses speculative execution, a feature common to most modern processor architectures, to potentially expose certain kinds of data through a side channel. In this case, the researchers demonstrated Variant 4 in a language-based runtime environment."
The Red Hat video provides a brief, theoretical overview of how it works.
Thankfully, "starting in January, most leading browser providers deployed mitigations for Variant 1 in their managed runtimes – mitigations that substantially increase the difficulty of exploiting side channels in a web browser. These mitigations are also applicable to Variant 4 and available for consumers to use today."
"However, to ensure we offer the option for full mitigation and to prevent this method from being used in other ways, we and our industry partners are offering an additional mitigation for Variant 4, which is a combination of microcode and software updates."
Culbertson says Intel have "already delivered the microcode update for Variant 4 in beta form to OEM system manufacturers and system software vendors, and we expect it will be released into production BIOS and software updates over the coming weeks. This mitigation will be set to off-by-default, providing customers the choice of whether to enable it. We expect most industry software partners will likewise use the default-off option.
Essentially, end-users will have to choose between maximizing performance or security here.
Intel says that "If enabled, we’ve observed a performance impact of approximately 2 to 8 percent".
Microsoft says it "previously discovered this variant and disclosed it to industry partners in November of 2017 as part of Coordinated Vulnerability Disclosure (CVD)".
A spokesperson from the company told The Verge “we are continuing to work with affected chip manufacturers and have already released defense-in-depth mitigations to address speculative execution vulnerabilities across our products and services,” says a Microsoft spokesperson.
“We’re not aware of any instance of this vulnerability class affecting Windows or our cloud service infrastructure. We are committed to providing further mitigations to our customers as soon as they are available, and our standard policy for issues of low risk is to provide remediation via our Update Tuesday schedule.”
Intel, meanwhile, is said to be in the process of redesigning its processors to protect against attacks like Spectre, Meltdown and variant 4. Further details around these hardware-based protections are expected to be revealed later in 2018.