Google’s Project Zero and Microsoft today disclosed the latest variant of the Spectre and Meltdown security flaws that were originally revealed in January. Intel is referring to this one as “Variant 4,” and it uses some of the same security vulnerabilities as the initial discovery…
As reported by CNET, Intel is classifying the new variant as a “medium risk” vulnerability because “many” of the exploits that it would take advantage of were fixed by browsers during the initial set of patches.
Variant 4, like its predecessor, takes advantage fo the speculative features of a CPU and thus allows hackers to access sensitive information. The company writes in a blog post:
Like the other GPZ variants, Variant 4 uses speculative execution, a feature common to most modern processor architectures, to potentially expose certain kinds of data through a side channel. In this case, the researchers demonstrated Variant 4 in a language-based runtime environment. While we are not aware of a successful browser exploit, the most common use of runtimes, like JavaScript, is in web browsers.
Nevertheless, Intel says it has delivered microcode updates to manufacturers and expects a rollout to commence over the coming weeks.
We’ve already delivered the microcode update for Variant 4 in beta form to OEM system manufacturers and system software vendors, and we expect it will be released into production BIOS and software updates over the coming weeks.
As far as performance goes, Intel says it doesn’t expect the patch to affect performance, and suspects that most OEMs will leave the mitigation turned off in an effort to ensure performance remains the same. Though, the company does note that it has observed a “performance impact of approximately 2 to 8 percent” when enabled.
The original Spectre and Meltdown flaws were first discovered in January, with Apple saying that ‘all Mac and iOS devices’ were affected by the flaw.
More information about Intel’s latest Spectre & Meltdown bug can be read on Intel’s website.
Subscribe to 9to5Mac on YouTube for more Apple news:
FTC: We use income earning auto affiliate links. More.
Comments