What is Spectre Variant 4 ?
A few months ago, computer users worldwide were shocked when it was discovered that their systems could be vulnerable to two hardware level security vulnerabilities called Spectre and Meltdown. Intel and AMD rushed to patch the firmware on the affected processors, but it appears that the ghost has returned to haunt Intel in the form of Spectre Variant 4.
Ignoring the spooky pun, the news is alarming. A joint research done by Microsoft and Google says that the new variants are called 3A and 4.
To fix these bugs, Intel has released microcode updates to OEMs in a beta form. These mitigations however come at a cost, not financial of course, but in terms of performance. Intel says that users will see their systems perform slower than before, and the exact performance hit could be anywhere from 2 to 8%. The numbers were arrived after various benchmarks, and it does seem to be causing a significant level of impact.
What are these vulnerabilities?
Spectre Variant 4 is actually the more dangerous one of the two, because it is capable of speculative execution via side channel. That is, it can attack the processor’s prior memory writes and execute memory reads to obtain sensitive data, from the affected system. This could be used to exploit browsers to attack language based runtime environments such as Java.
In Intel’s own words, Variant 3A named Rogue System Register Read (discovered by ARM), can allow hackers to access a machine locally using a side-channel analysis and allow them to gather personal information.
Surprisingly, Intel has only marked these vulnerabilities a security level of medium, as opposed to the original Spectre flaw which was rated as a high security risk.
Intel says that fixes for the new vulnerability issues will be released via Software Updates and BIOS Updates, the latter is the more difficult because it requires manual effort. The option to enable the mitigation will be disabled by default, to allow the user the choice of whether to enable it at the cost of performance. The updates are said to arrive over the next few weeks, so keep an eye on your PC’s Motherboard or laptop manufacturer’s website.
According to Intel’s security report all generations of processors are affected by is Spectre Variant 4 and 3A, including the most recent Intel 8th Gen Coffee Lake chipsets, which means millions of computers Worldwide are at risk. So, what about new in-the-box Motherboards? Will they be pre-patched with the fixes for these vulnerabilities? We certainly hope so.
These vulnerabilities will also need to be patched by Microsoft, for Windows, and the updates are reportedly being tested.