A new Spectre and Meltdown variant has been discovered by Google and Microsoft researchers.
The newly-revealed flaw, called Variant 4, or Speculative Store Bypass, affects processors from Intel, ARM and AMD, meaning hundreds of millions of devices are potentially impacted, though no exploits have been seen in the wild.
Intel said that like Spectre, the variant relies on speculative execution, a feature common to most modern processor architectures, to potentially expose certain kinds of data through a side channel. An advisory by US-CERT said that the vulnerability could allow an attacker to access and read older CPU memory either in the CPU stack or other memory locations.
"An attacker who has successfully exploited this vulnerability may be able to read privileged data across trust boundaries," Microsoft Security Center's Security Advisory read.
Hackers could exploit the bug by running JavaScript in web browsers, producing native code that could give rise to an instance of Variant 4 (CVE-2018-3639). Microsoft said that it has strengthend its Edge and Internet Explorer browsers to increase the difficulty of successfully creating such a side channel. Similar steps have been taken for other browsers.
While Intel said some of the Variant 4 exploits were mitigated by previous patches, it has also delivered a microcode update to address the new variant in beta form to OEMs and software vendors, expecting it to be released into production BIOS and software updates over the coming weeks.
However, the patch will be turned off by default, with Intel warning of a 2% to 8% performance hit for those that do enable it.
"We expect most industry software partners will likewise use the default-off option," said Leslie Culbertson, Intel's executive vice president and general manager of product assurance and security.
ARM noted in a blog post that "this method is dependent on malware running locally which means it's imperative for users to practice good security hygiene by keeping their software up-to-date and avoid suspicious links or downloads".
According to blog posts by Google's Project Zero and the , a flaw in the chips can The vulnerability affects processors from Intel, AMD, and ARM.
-
Apple just released an emergency patch for a zero-day exploited in the wildNews Apple is warning millions of users of iPhones, iPads and Macs to update their software to protect against an out-of-bounds write vulnerability
-
Google's new Jules coding agent is free to use for anyone – and it just got a big update to prevent bad code outputNews Jules came out of beta and launched publicly earlier this month, but it's already had a big update aimed at improving code quality and safety.
-
Millions of Dell laptops are are at risk thanks to a Broadcom chip vulnerability – and more than 100 device models are impactedNews Widely used in high-security environments, the PCs are vulnerable to attacks allowing the theft of sensitive data
-
‘The worst thing an employee could do’: Workers are covering up cyber attacks for fear of reprisal – here’s why that’s a huge problemNews More than one-third of office workers say they wouldn’t tell their cybersecurity team if they thought they had been the victim of a cyber attack.
-
‘A huge national security risk’: Thousands of government laptops, tablets, and phones are missing and nowhere to be foundNews A freedom of information disclosure shows more than 2,000 government-issued phones, tablets, and laptops have been lost or stolen, prompting huge cybersecurity concerns.
-
"Thinly spread": Questions raised over UK government’s latest cyber funding schemeThe funding will go towards bolstering cyber skills, though some industry experts have questioned the size of the price tag
-
Modern enterprise cybersecuritywhitepaper Cultivating resilience with reduced detection and response times
-
IDC InfoBrief: How CIOs can achieve the promised benefits of sustainabilitywhitepaper CIOs are facing two conflicting strategic imperatives
-
The complete guide to the NIST cybersecurity frameworkWhitepaper Find out how the NIST Cybersecurity framework is evolving
-
Are you prepared for the next attack? The state of application security in 2024Webinar Aligning to NIS2 cybersecurity risk-management obligations in the EU
