Google and Microsoft disclosed yet another CPU vulnerability that uses similar methods like the first three variants of Spectre and Meltdown attacks.
First revealed in January, the Spectre and Meltdown vulnerabilities allowed attackers to read the system memory in CPUs including the ones from Intel, AMD, and ARM. There were three variants of these attacks— Variant 1, Variant 2, and Variant 3.
The new vulnerability discovered by Google Project Zero (GPZ) and Microsoft Security Response Center (MSRC) is the Variant 4, known as the Speculative Store Bypass (CVE-2018-3639).
According to Intel, the Variant 4 uses speculative execution to expose the data to an attacker with local user access through a side channel. Simply, it allows the attackers to access a computer through a logic problem in the central processing unit.
This vulnerability can be executed through the web browsers using the JavaScript runtimes. However, Intel said that the risk of attack is low because most of the leading browser providers like Safari, Edge, and Chrome, had deployed mitigations for Variant 1 earlier this year in their managed runtimes. The mitigations for Variant 1 are also applicable to Variant 4, and are available for customers to use.
The new vulnerability can also be used in other ways like firmware updates that can significantly affect the CPU performance. On that front, Intel, Google and Microsoft will provide additional mitigation for Variant 4, a combination of microcode and software updates.
“We’ve already delivered the microcode update for Variant 4 in beta form to OEM system manufacturers and system software vendors, and we expect it will be released into production BIOS and software updates over the coming weeks,” wrote Leslie Culbertson, executive vice president and general manager of product assurance and security at Intel, in a blog post.
The mitigations will be set to off by default, and users will have option to enable it. When enabled, it can impact the CPU performance by 2 to 8 percent, noted Intel. There will be no impact on performance when disabled.