This article was published on May 22, 2018

Microsoft, Intel, and Google disclose another Spectre-like CPU flaw


Microsoft, Intel, and Google disclose another Spectre-like CPU flaw Image by: RemazteredStudio / Pixabay

2018 started off on a sour note with the discovery of the Meltdown and Spectre chip-level security flaws, which could be exploited to access secure data on computers powered by the world’s most popular processors. Now, there’s another version doing the rounds.

Microsoft and Google have jointly disclosed what’s being called Speculative Store Bypass (variant 4), which, as the US Computer Emergency Readiness Team describes, “could allow an attacker to read older memory values in a CPU’s stack or other memory locations.”

Variant 4 uses speculative execution, an optimization technique in CPUs, to potentially expose certain kinds of data. The exploit can be run through web browsers via runtimes like JavaScript.

Intel attempted to quash worries by stating that it hasn’t seen this exploit being used in the wild, and that mitigations for this flaw that could potentially be exploited through browsers have already been deployed to tackle Meltdown and Spectre back in January.

In addition, Intel notes that it’s sent over patches to OEMs so they can issue firmware updates for their products. But for those who choose to enable the Speculative Store Bypass protection (it’ll be set to off by default), there’s likely going to be a drop in performance of between 2-8 percent. So, yes, you’ll have to choose between tight security and performance for the time being.

The bug was discovered back in November 2017 by Microsoft, after which it was disclosed to select industry partners. Hopefully, with Intel’s upcoming chip designs, we won’t have to worry about such security flaws in future devices.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with