Microsoft and Google say they have found a fourth Meltdown-Spectre variant
Bad news, everyone. If you thought we were out of the woods when it comes to the Meltdown / Spectre CPU security flaws, then think again. Researchers from Microsoft and Google have identified a previously unknown fourth variant of the processor design issues that made front page news when they were discovered last year.
Like its predecessors, variant 4 (or CVE-2018-3639, to give its full name) describes a processor design issue that could allow malicious software to discover hidden information, such as a user’s password. For example, a webpage set up by a malware programmer could discover passwords, credit card numbers and other private information input elsewhere in the same browser.
Like Spectre and Meltdown, it exploits the speculative execution feature of modern processors, which work by predicting which path will be taken in a program and continuing execution down that path. If a different branch is chosen, the work done is dropped, but if the prediction was correct, then some execution time will have been saved.
The new variant affects a wide range of processors, including those made by Intel, AMD, ARM and IBM. Intel and AMD processors are widely used in desktop and laptop PCs, ARM processors power almost all smartphones and tablets, and IBM’s affected processors are commonly used in servers. Therefore, the vast majority of devices on the market are potentially affected by the design issue.
However, most browsers were updated in response to the earlier Meltdown and Spectre threats, and these fixes should also ameliorate issues caused by this new fourth variant. That means that if you have already updated your browser to its most recent version, you ought to be protected in most cases. Processor makers have been alerted to the new issue and should release updates themselves to provide more comprehensive protection.
However, these patches will need to be manually enabled by Intel and AMD users, as enabling the patch will remove some processor features and therefore reduce system performance. The total slowdown from the fourth variant patch is expected to be in the region of 2% to 8%, depending on the workload and processor.
As always, keeping your operating system, drivers and programs up to date is important. It looks like this new variant is only of moderate risk and there are no known examples of it being used, but it’s still chilling to know how many similar and undiscovered exploits may still exist.