At the beginning of the year, everyone was talking about processor vulnerabilities called "Meltdown" and "Spectre" that potentially exposed data in everything from servers and desktops to tablets and smartphones. The flaws, which impacted the chips in many popular devices, allowed hackers to inconspicuously manipulate a common efficiency technique used to speed data processing. As a result, chip manufacturers and software makers scrambled to issue patches and work out the performance sluggishness that came along with blocking the risky optimizations.

At the same time, though, a larger concern was also looming: Spectre and Meltdown represented a whole new class of attack, and researchers anticipated they would eventually discover other, similar flaws. Now, one has arrived.

On Monday, researchers from Microsoft and Google's Project Zero disclosed a new, related vulnerability known as Speculative Store Bypass Variant 4 (Meltdown and Spectre collectively make up variants 1-3) that impacts Intel, AMD, and ARM processors. If exploited, an attacker could abuse the bug to access data that is meant to be stored out of reach. It particularly could expose certain components often used in web browsing that are meant to be isolated, for example, a JavaScript module that shows ads.

Microsoft says that the risk to users from this bug is "low," and Intel notes that there is no evidence that the flaw is already being used by hackers. Some systems, particularly browsers, already have some protection against Speculative Store Bypass attacks just from the initial Meltdown and Spectre patches. But as was the case before, chip manufacturers and software developers are now working to release tailored fixes—and SSB raises the same types of performance problems that emerged before.

"We know that new categories of security exploits often follow a predictable lifecycle, which can include new derivatives of the original exploit," Leslie Culbertson, Intel's executive vice president and general manager of product assurance and security, wrote in a statement on Monday. She explains that once they are generally available, some SSB protections will be off by default, requiring users to opt into protection. "If enabled, we’ve observed a performance impact of approximately 2 to 8 percent based on overall scores for benchmarks."

Modern processors use a technique called "speculative execution" to make educated guesses about what data to work with as they complete tasks instead of waiting to have perfect information about what to do. Meltdown, Spectre, and Speculative Store Bypass flaws are all part of a category of "speculative execution side channels" in which attackers can potentially take advantage of flaws in how processors protect data during this speculative processing to grab information that leaks out in various ways. Systems can rein this in through relatively simple software and firmware (lower level coordinating software) patches. But some updates need to be changes to a processor's "microcode" that tweak the fundamental behavior of how a chip operates, and most software developers will be depending on chip manufacturers to first release microcode updates.

Once companies push all the various types of updates, though, users will decide case by case whether to install them, since bypassing processing efficiencies to neuter potential attacks can also slow systems down. Some Meltdown and Spectre updates caused real problems for businesses and consumers. For SSB—which seems like it may be a less dangerous bug—some users may consider the pros and cons of patching rather than immediately moving forward.