New Spectre/Meltdown Variant Appears

Intel has announced that another flaw in their processor architecture has been identified. Dubbed “Variant 4”, the Speculative Store Bypass may allow unauthorised disclosure of information by allowing memory to be read without appropriate permissions. The flaw was reported to Intel by researchers from Google’s Project Zero and the Microsoft Security Response Center.

Intel has released a code patch that greatly reduces the risk of being attacked through this flaw. But that patch will cost you some CPU grunt. The company said the pact will result in a performance hit of up 8%. While that might not be noticeable to many of us, it can make a material difference to some operations.

When Spectre and Meltdown were initially reported, the two flaws actually comprised of three separate issues. CVE 2017-5715 and CVE 2017-5753 were collectively called Spectre with CVE 2017-5754 named Meltdown.

Just to add to the fun, another bug, called Variant 3a (CVE-2018-3640) was reported to Intel by Zdenek Sojka, Rudolf Marek and Alex Zuepke from SYSGO AG.

Intel’s advice lists all the different processor families that are affected as well as recommendation on what to do to mitigate the risks.

If you’re concerned about the risks of Spectre and Meltdown, Gartner offers some commonsense advice. It starts with assessing which systems are most at risk and planning what to do about those. It may be that packing isn’t the best solution but that other security techniques, such as isolating systems is a more practical remedy.