Specter And Meltdown were the first and with each passing week are getting confirmations of new vulnerabilities. The latest of which have been confirmed by Google and Microsoft, Specter Variant 4 and Meltdown Variant 3a. Specter Variant 4 is also called the Speculative Store Bypass. This exploit allows the hacker to gain access to information using the speculative execution mechanism of a CPU.
Information regarding Meltdown Variant 3a comes from Google’s Project Zero and Microsoft Security Response Center. Cortex-A15, -A57 and -A72 ARM cores have been affected by this issue. Talking about Specter Variant 4 there is a wide range of processors that have been affected. According to the released document from Intel:
CVE-2018-3639 – Speculative Store Bypass (SSB) – also known as Variant 4
Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.
According to Intel, Specter Variant 4 is a moderate security risk as many of the exploits that it uses have already been taken care of. Intel further stated the following:
This mitigation will be set to off-by-default, providing customers the choice of whether to enable it. We expect most industry software partners will likewise use the default-off option. In this configuration, we have observed no performance impact. If enabled, we’ve observed a performance impact of approximately 2 to 8 percent based on overall scores for benchmarks like SYSmark(R) 2014 SE and SPEC integer rate on client1 and server2 test systems.
Specter Variant 4 not only affects Intel CPUs but AMD, ARM and IBM as well. AMD has confirmed that CPUs across the board have been affected all the way back to the first generation of Bulldozer, this is not a good sign but luckily these issues can be patched. Having said all this, there are still 6 more vulnerabilities that we have not been told about but should be made public in the upcoming week or so.
Let us know what you think about Specter Variant 4 and Meltdown variant 3a and what you think should be done in order to protect consumers that are using chips affected by these vulnerabilities.