Microsoft and Google are jointly disclosing a new CPU security vulnerability that is similar to the Meltdown and Specter failures that were revealed earlier this year. Tagged Speculative Store Bypass (variant 4), the latest vulnerability is an exploitation similar to Specter and exploits the speculative execution that modern CPUs use. Browsers such as Safari, Edge and Chrome were repaired for Meltdown earlier this year, and Intel says that "these mitigations are also applicable to variant 4 and are available for consumers to use today."
However, unlike Meltdown (and more similar to Specter) this new vulnerability will also include firmware updates for CPU that could affect performance. Intel has already delivered microcode updates for the speculative store bypass in the form of beta to OEMs, and the company expects them to be more widely available in the coming weeks. Firmware updates will set the speculative omission protection of the store by default, which ensures that most people will not see negative performance impacts.
"If enabled, we have observed an impact on performance of approximately 2-8 percent based on the overall scores of the SYSmark 2014 SE and SPEC indexes on the client 1 and server 2 test systems," explains Leslie Culbertson, Intel security. boss.
As a result, end users (and particularly system administrators) will have to choose between security or optimal performance. The choice, like the previous variants of Specter, will be reduced to individual systems and servers, and to the fact that this new variant seems to be less risky than the CPU failures that were discovered earlier this year.
Microsoft began offering up to $ 250,000 for errors that are similar to the Meltdown and Specter CPU failures in March, and the company says it discovered this new error in November. "Microsoft previously discovered this variant and made it known to industry partners in November 2017 as part of coordinated vulnerability disclosure (CVD)," a Microsoft spokesperson says. Microsoft is now working with Intel and AMD to determine the impact on systems performance.
"We continue to work with the affected chip makers and we have already launched in-depth defense mitigations to address the speculative execution vulnerabilities in all our products and services." says a Microsoft spokesman. "We are not aware of any instances of this kind of vulnerability affecting Windows or our cloud services infrastructure, we are committed to providing additional mitigations to our customers as soon as they are available, and our standard policy for low risk issues is to provide solutions through our update schedule Tuesday. "
Intel is already preparing its own CPU changes for the future. Intel is redesigning its processors to protect against attacks like Specter or this new variant 4, and the company's new generation Xeon processors (Cascade Lake) will include new integrated hardware protections, along with 8th generation Intel Core processors shipped in the second half of 2018.