Intel And Microsoft Disclose Latest Spectre-Style CPU Flaw, Official Fix Could Slow Some PCs

Intel says that following the Google Project Zero (GPZ) disclosure of speculative execution-based side-channel analysis methods back in January that it has continued working with researchers around the world to figure out if similar methods could be used in other areas. Intel says that it expected side-channel exploits would follow a predictable life cycle, and has expanded its bug bounty program to support and accelerate the identification of new methods.

Intel's Leslie Culbertson says that the response to that program and been "encouraging." Because of that continued work, Intel and other industry partners are offering details and mitigation information for a new derivative of the original vulnerabilities affecting chipmakers. The new derivative is dubbed Variant 4 and was disclosed jointly by GPZ and Microsoft's Security Response Center (MSRC). Intel is clear that as of now there has been no report of this method being used in real-world exploits.

Intel says that Variant 4 uses speculative execution, which is a feature common to most modern processor architectures, and exposes specific types of data via side channels. Variant 4 specifically was demonstrated by researchers using a language-based runtime environment. Intel says that no successful browser exploit is known. Mitigations that were deployed for Variant 1 starting last January are also applicable to Variant 4 and are already available for consumers to use. Intel and its partners are offering an additional mitigation for Variant 4 that includes a combination of microcode and software updates.

The microcode mitigation for Variant 4 was has already been delivered to OEM system manufacturers and system software vendors in beta form. Intel says that it expects the microcode to be released into production BIOS and software updates in the coming weeks. When the mitigation is on, it expects to see a 2-8% decline in overall SYSmark 2014 SE and SPEC integer rate on client and servers.

Microsoft has offered a bit of detail about what an attacker could potentially access using this vulnerability. The software giant says that the attacker could read privileged data across trust boundaries with a successful exploit. "Vulnerable code patterns in the operating system (OS) or in applications could allow an attacker to exploit this vulnerability. In the case of Just-in-Time (JIT) compilers, such as JavaScript JIT employed by modern web browsers, it may be possible for an attacker to supply JavaScript that produces native code that could give rise to an instance of CVE-2018-3639. However, Microsoft Edge, Internet Explorer, and other major browsers have taken steps to increase the difficulty of successfully creating a side channel," wrote Microsoft in its security advisory.