Intel has confirmed that the Spectre family of vulnerabilities is the gift that keeps on giving, announcing a fourth variant which - as with its predecessors - comes with a workaround that has a measurable impact on system performance.
Following on from the three primary Meltdown and Spectre vulnerability variants announced earlier this year, Spectre Variant 4 exploits related vulnerabilities in technologies introduced in silicon to boost performance. Spotted and confirmed by Google's Project Zero, Spectre Variant 4 - along with Variant 3a, a version previously thought to affect only selected Arm processors but now confirmed by Intel as extending into the x86 world - allows for attackers to bypass protections against memory access and read arbitrary privileged data or run previously-executed commands still in memory speculatively.
In short, it's once again a pretty serious bug - but there is some good news. The easiest way to exploit the newly disclosed vulnerability is via the web browser, as with its predecessors, and patches introduced against earlier Spectre and Meltdown variants are also effective against Variant 4. Unfortunately, proper protection requires the installation of updated microcode to disable the affected speculative execution system - and doing so will have yet another performance impact, with Intel leaving the choice of whether or not to enable it up to end users.
'We’ve already delivered the microcode update for Variant 4 in beta form to OEM system manufacturers and system software vendors, and we expect it will be released into production BIOS and software updates over the coming weeks. This mitigation will be set to off-by-default, providing customers the choice of whether to enable it,' explains Intel's Leslie Culbertson in a security update. 'We expect most industry software partners will likewise use the default-off option. In this configuration, we have observed no performance impact. If enabled, we’ve observed a performance impact of approximately 2 to 8 percent based on overall scores for benchmarks like SYSmark 2014 SE and SPEC integer rate on client and server test systems.'
In other words: By default, users will be protected exclusively by exploitation countermeasures added to web browsers back in January to protect against Variant 1; those wanting true protection will need to actively enable the workaround, and can expect to lose up to eight percent of their system's performance as a result - on top of the performance impacts from the other Meltdown and Spectre microcode workarounds.
AMD has confirmed its own processors are affected by Variant 4, but has stated it has no intention of releasing a microcode update of its own and will instead rely on operating system patches for protection owing to the difficulties surrounding successful exploitation.
More information on the vulnerability itself can be found in the now-public Google Project Zero post discussing the flaw.
April 9 2019 | 16:50