Right off the bat, 2018 brought us two massive security vulnerabilities that affected almost all types of processors known to man, whether they’re Intel, AMD, or ARM. The good news is chip makers and their partners, including Apple, Google, and Microsoft, eventually issued patches for the affected devices to prevent attacks.

These patches were meant to prevent hackers from accessing private information like user passwords from a computer’s memory by taking advantage of a certain design flaws. They were not permanent fixes, because these security issues are caused by the way the actual chip is built.

With that in mind, don’t be surprised to hear there’s a new Spectre vulnerability in the wild, and your computers need more patching.

Disclosed by Google and Microsoft, the Spectre 4 issue has been acknowledged by Intel in a blog post. The vulnerability doesn’t affect just Intel machines, as AMD and ARM are not out of harm’s way either. This new flaw could be used by hackers in browser-based attacks.

Like the other GPZ variants, Variant 4 uses speculative execution, a feature common to most modern processor architectures, to potentially expose certain kinds of data through a side channel. In this case, the researchers demonstrated Variant 4 in a language-based runtime environment. While we are not aware of a successful browser exploit, the most common use of runtimes, like JavaScript, is in web browsers.

Intel says it already issued the microcode update for Variant 4 to its partners, and it should be released into production BIOS and software updates over the coming weeks. However, the mitigation will be off-by-default, meaning the user will have to enable it.

Intel also noted that it had not seen any reports of hackers targeting this particular vulnerability. From the moment we first heard about the Meltdown and Spectre issues, we were told that fixes would have an impact on performance. The same goes for the new fix, and Intel noticed a performance drop of 2% to 8% on client and server systems. Read Intel’s full advisory at this link.

Comments