2018 had begun on a sour note with the Spectre and Meltdown bugs in January. Barely half a year has passed, and Google, Intel and Microsoft have acknowledged the existence of another CPU flaw that could potentially affect all modern CPUs. New variants of the vulnerabilities known as Spectre and Meltdown, known as Variant 3A and Variant 4, could potentially allow attackers access to sensitive information on affected systems.
What are Spectre and Meltdown?
Meltdown is a bug that ‘melts’ hardware security protocols, while Spectre is a system flaw that allows attackers to ‘force’ CPUs to divulge its data.
What are the latest CPU flaws all about? What do they have to do with Spectre and Meltdown?
In the latest revelation, Variant 3A is a CPU vulnerability to side channel attacks that could allow access to system parameters and subsequently sensitive information.
Variant 4 is another vulnerability that exploits speculative bypass – a type of memory buffer that allows operations to be smoother by utilising smaller memory operations. The Variant 4 vulnerability could allow attackers to read old memory values stored on the device.
While both variants are difficult to implement, they are particularly vulnerable to side-channel attacks and could allow less-privileged lines of code access to privileged data and operations. It was first discovered by Microsoft in November 2017, before it was disclosed to limited industry partners to seek a resolution to the issue. The computing giant is awarding up to USD250,000 for the discovery of new bugs, in an attempt to address security flaws at all levels.
Both security vulnerabilities bear a resemblance to the CPU bugs we experienced earlier this year. However, it appears that this revelation is pre-emptive, and no attacks exploiting the latest vulnerabilities have been announced yet.
How do I protect myself?
Intel has released lines of microcode to immediately address the issue in the interim, automatically implemented soon after the announcement. We can expect security systems to be continually updated in a timely fashion.
If you’re feeling vulnerable, you could opt to enable Speculative Store Bypass protection, which is set to off by default. This would, however, reduce performance from between 2-8%. So, at least for the time being, you would have to choose between security and optimal performance.
New Intel chips might feature more comprehensive security features built right into the architecture, and the two big revelations this year alone might make that a certainty.