After Meltdown and Spectre, Google and Microsoft disclose a new CPU vulnerability

Heather Parry

By Heather Parry

22 May 2018

At the start of this year, two major processor vulnerabilities, known as Meltdown and Spectre, got everyone in the tech community spooked.

The vulnerabilities affected the chips used in many devices, and as such the flaws had the potential to expose data on a massive scale, from information on servers to your mobile devices. Browsers and devices were hastily patched and the resulting speed loss was swiftly dealt with.

Now, there’s another vulnerability that has huge potential consequences.

On Monday, researchers from Project Zero, a joint Google and Microsoft endeavor, disclosed a flaw known as Speculative Store Bypass (variant 4), which is related to Meltdown and Spectre and exploits a speculative execution used by many current CPUs. This means that attackers can, in theory, exploit this flaw to reach data that is otherwise unattainable.

Researchers say that there is no evidence that this flaw has been already used by malicious actors, and are quick to confirm that the risk to users is currently low. However, software companies have already begun work to fix the issue.

This vulnerability specifically affects Intel, AMD and ARM processors, and Intel has already delivered patches in beta form to OEMs, with broader rollout expected in the next few weeks.

However, because of the manner in which these patches have to work, it’s possible that there will be a loss of optimization and of processing speed, as was originally seen with fixes to the Meltdown and Spectre issues.

In a blog post addressing the issue, Intel’s Leslie Culbertson explained:

We’ve already delivered the microcode update for Variant 4 in beta form to OEM system manufacturers and system software vendors, and we expect it will be released into production BIOS and software updates over the coming weeks. This mitigation will be set to off-by-default, providing customers the choice of whether to enable it. We expect most industry software partners will likewise use the default-off option. In this configuration, we have observed no performance impact. If enabled, we’ve observed a performance impact of approximately 2 to 8 percent based on overall scores for benchmarks like SYSmark® 2014 SE and SPEC integer rate on client1 and server2 test systems.

This means that, for the foreseeable future, users will have to accept a slight slow down of processing to ensure optimal security.

Microsoft, too, are said to be working hard to patch the issue. A spokesperson confirmed:

We are continuing to work with affected chip manufacturers and have already released defense-in-depth mitigations to address speculative execution vulnerabilities across our products and services.

Earlier this year Microsoft began offering rewards of $250,000 to those who were able to find vulnerabilities like these, and the fact that such flaws can be found before they are exploited by attackers shows that this decision was a good one.

In the coming weeks, we’ll be able to see how much the fixes offered by software companies will affect usage, if at all.

About Us

SurfEasy is a VPN tool that protects your online privacy and unblocks the internet. Use it on your Mac, PC, iPhone, iPad or Android.

Learn More