Google and Microsoft have revealed a CPU security vulnerability which is similar to the Meltdown and Spectre flaws that were revealed earlier this year.
CPU hardware implementations—known as Spectre and Meltdown—are vulnerable to side-channel attacks. Meltdown is a bug that "melts" the security boundaries normally enforced by the hardware, affecting desktops, laptops, and cloud computers. Spectre is a flaw that an attacker can exploit to force a CPU to reveal its data.
The vulnerability called Speculative Store Bypass (SSB), also known as Variant 4 similarly exploits "speculative bypass". When exploited, Variant 4 could allow an attacker to read older memory values in a CPU’s stack or other memory locations.
According to Intel, “Most leading browser providers have recently deployed mitigations in their Managed Runtimes – mitigations that substantially increase the difficulty of exploiting side channels in a modern web browser. These techniques would likewise increase the difficulty of exploiting a side channel in a browser based on SSB.”
Intel has also released microcode updates to operating system vendors, equipment manufacturers, and other ecosystem partners adding support for Speculative Store Bypass Disable (SSBD). In coming weeks, it is expected that the update will be widely available.
The firmware updates will set the Speculative Store Bypass protection to off-by-default, ensuring that most people won’t see negative performance impacts.
Apparently, the update, if enabled, may impact the performance of the computers. So the admins of the system will have to pick between security and performance.
“In this (off) configuration, we have observed no performance impact. If enabled, we’ve observed a performance impact of approximately 2 to 8 percent based on overall scores for benchmarks like SYSmark 2014 SE and SPEC integer rate,” explained Leslie Culbertson, executive vice president and general manager of Product Assurance and Security at Intel Corporation.
The exploit was initially discovered separately by Jann Horn of Google Project Zero and Ken Johnson of the Microsoft Security Response Centre.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
