Microsoft and Google jointly disclose new CPU flaw

Avatar By Le Williams | 2 years ago

Google and Microsoft have revealed a new CPU security vulnerability with notable similarities to the Meltdown and Spectre flaws that were revealed earlier this year. The latest vulnerability, Labelled Speculative Store Bypass (variant 4), is a similar exploit to Spectre and capitalizes on speculative execution that modern CPUs use. Browsers such as Chrome, Edge, and Safari were patched for Meltdown earlier this year.

Intel says “these mitigations are also applicable to variant 4 and available for consumers to use today.”

Dissimilar to Meltdown, the new vulnerability will also include firmware updates for CPUs that could affect performance.

Intel has already delivered microcode updates for Speculative Store Bypass in beta form to OEMs, and the company expects them to be more broadly available in the coming weeks. The firmware updates will set the Speculative Store Bypass protection to off-by-default, ensuring that most people won’t see negative performance impacts.

“If enabled, we’ve observed a performance impact of approximately 2-8 percent based on overall scores for benchmarks like SYSmark 2014 SE and SPEC integer rate on client 1 and server 2 test systems,” explains Leslie Culbertson, Intel’s security chief.

As a result, end users will be inclined to choose between security or optimal performance. The choice will result in individual systems and servers, in addition to the fact that this new variant appears to be less of a risk than the CPU flaws that were discovered earlier this year.

Microsoft started offering up to $250,000 for bugs that are similar to the Meltdown and Spectre CPU flaws in March.

“We are continuing to work with affected chip manufacturers and have already released defense-in-depth mitigations to address speculative execution vulnerabilities across our products and services,” says a Microsoft spokesperson. “We’re not aware of any instance of this vulnerability class affecting Windows or our cloud service infrastructure. We are committed to providing further mitigations to our customers as soon as they are available, and our standard policy for issues of low risk is to provide remediation via our Update Tuesday schedule.”

Intel is already preparing its own CPU changes for the future. Intel is redesigning its processors to protect against attacks like Spectre or this new variant 4, and the company’s next-generation Xeon processors (Cascade Lake) will include new built-in hardware protections, alongside 8th generation Intel Core processors that ship in the second half of 2018.