Intel, Google and Microsoft confirm new CPU vulnerability
22 May 2018 | 0
Reported by German computing magazine C’t and later confirmed by Intel, Variant 4 is the latest version of the Meltdown/Spectre vulnerability that plagued security vendors in late 2017.
According to a blog post from Intel’s executive vice president and general manager of product assurance & security Leslie Culbertson like the other GPZ variants, Variant 4 uses speculative execution, a feature common to most modern processor architectures, to potentially expose certain kinds of data through a side channel. In this case, the researchers demonstrated Variant 4 in a language-based runtime environment.
A Red Hat video provides a brief, theoretical overview of how it works.
Thankfully, “starting in January, most leading browser providers deployed mitigations for Variant 1 in their managed runtimes – mitigations that substantially increase the difficulty of exploiting side channels in a Web browser. These mitigations are also applicable to Variant 4 and available for consumers to use today,” said Culbertson.
“However, to ensure we offer the option for full mitigation and to prevent this method from being used in other ways, we and our industry partners are offering an additional mitigation for Variant 4, which is a combination of microcode and software updates.”
Culbertson said Intel has “already delivered the microcode update for Variant 4 in beta form to OEM system manufacturers and system software vendors, and we expect it will be released into production BIOS and software updates over the coming weeks. This mitigation will be set to off-by-default, providing customers the choice of whether to enable it. We expect most industry software partners will likewise use the default-off option.
Essentially, end-users will have to choose between maximising performance or security.
Intel says that “If enabled, we’ve observed a performance impact of approximately 2-8%”.
Microsoft said it “previously discovered this variant and disclosed it to industry partners in November of 2017 as part of Coordinated Vulnerability Disclosure (CVD)”.
A spokesperson from the company told The Verge “we are continuing to work with affected chip manufacturers and have already released defense-in-depth mitigations to address speculative execution vulnerabilities across our products and services.”
“We’re not aware of any instance of this vulnerability class affecting Windows or our cloud service infrastructure,” the spokesperson continued. “We are committed to providing further mitigations to our customers as soon as they are available, and our standard policy for issues of low risk is to provide remediation via our Update Tuesday schedule.”
Intel, meanwhile, is said to be in the process of redesigning its processors to protect against attacks like Spectre, Meltdown and Variant 4. Further details around these hardware-based protections are expected to be revealed later this year.
IDG News Service