The premature disclosure of Spectre and Meltdown security flaws lead to chaos for vendors and customers early last year. Manufacturers like Apple, Microsoft, and Ubuntu were forced to release rushed mitigations to combat the problem, which also resulted in some botched updates and performance hits for most machines.
Now, several companies including Microsoft, Google, AMD, ARM, Intel, and Red Hat have jointly disclosed details about Spectre Variant 4, mitigations for which could result in yet another performance hit.
The US-CERT has detailed information about two new variants of Spectre, namely 3A and 4. The former was originally documented by ARM back in January, and is dubbed "Rogue System Register Read". It allows attackers with local access to a machine to utilize side-channel analysis and read sensitive information and other system parameters.
Meanwhile, Variant 4 has been labeled "Speculative Store Bypass", and it allows those with malicious intent to read older system values in a CPU stack or other memory locations. Although it is relatively difficult to implement, if an attack is successful, the attacker will be able to arbitrarily read privileged data and speculatively execute older system commands. This variant was jointly disclosed by Google's Project Zero and Microsoft's Security Response Center.
Intel says that it has released bundled microcode updates for Variants 3A and 4 in beta form to OEMs, and customers should expect a performance hit of 2-8%. The update is expected to roll out over the next few weeks.
Similarly, AMD notes that:
Microsoft is completing final testing and validation of AMD-specific updates for Windows client and server operating systems, which are expected to be released through their standard update process. Similarly, Linux distributors are developing operating system updates for SSB. AMD recommends checking with your OS provider for specific guidance on schedules.
Based on the difficulty to exploit the vulnerability, AMD and our ecosystem partners currently recommend using the default setting that maintains support for memory disambiguation.
We have not identified any AMD x86 products susceptible to the Variant 3a vulnerability in our analysis to-date.
On the other hand, Microsoft says that it has not determined a vulnerable code pattern in its products yet, however, it will be further researching this particular area, and will release updates if required.
It's certainly troubling to see that Spectre and Meltdown having such latent effects, workarounds for which could result in performance hits. However, companies now working together in a more coordinated way to jointly disclose vulnerabilities and release mitigations will be encouraging to customers as well, particularly after the bungled disclosure in January.