Here comes the next Spectre vulnerability (Spectre V4 CPU)
If you thought that you are done patching your devices against Meltdown or Spectre exploits, you might want to reconsider. Patches for some hardware configurations and operating systems were released by Microsoft, Intel and hardware manufacturers ever since the vulnerabilities were revealed in early 2018.
Hot on the heels of the news of newly discovered Spectre Next Generation vulnerabilities comes news of a new threat that Microsoft and Google disclosed recently.
AMD published a whitepaper which you may access here.
Intel published information on the company's Newsroom website about Spectre Variant 4. The new vulnerability affects processors by Intel, AMD and ARM and uses speculative execution just like other Spectre variants disclosed earlier this year.
The web browser is the most likely attack vector for Variant 4 as the researchers demonstrated the vulnerability in a language-based runtime environment.
Intel is not ware of exploits in the wild and believes that mitigations deployed by browser developers to protect or mitigate against previous Spectre variants help mitigate Spectre Variant 4 attacks as well.
Still, Intel and the company's software partners, offer "additional mitigation for Variant 4". In other words, microcode and software updates. OEM manufacturers received beta versions of the microcode update already and Intel announced that it plans to release the final versions in the coming weeks.
The company plans to release the update in an off-state by default giving customers the option to enable it, or not. The updates won't affect performance of systems they are installed on in off-state. System performance may drop by 2% to 8% in benchmarks if the mitigation is enabled according to Intel.
The same update includes microcode that protects against Spectre Variant 3a. Intel made the decision to bundle the two updates to "streamline the process for our industry partners and customers".
Additional information about affected products is available on the Q2 2018 Speculative Execution Side Channel Update page on Intel's Security Center website. The page lists all affected Intel processors, recommendations, and other information.