Google and Microsoft find new strain of Spectre and Meltdown
Patches could again degrade PC performance
Security researchers at Google and Microsoft have found a new variant of the Spectre security flaw that was first reported back in January this year.
Rumors of the latest CPU bug were disclosed by a German computer science publication earlier this month, but the details of the vulnerability were only officially revealed on Monday, May 21.
Called Speculative Store Bypass (or Variant 4), the new strain exploits similar vulnerabilities as the older Spectre and Meltdown bugs but, according to Intel, uses a different method to access sensitive information.
Partly patched
The new variant can be exploited by running script files (or text files which contain a sequence of commands) on programs like web browsers. If hackers manage to successfully exploit this vulnerability, they’ll be able to get sensitive information off other parts of the program, like another tab in the case of browsers.
Intel, however, has classified the new bug as medium risk, explaining in a blog post that most of the exploits it uses were fixed in the original wave of patches that were rolled out.
“We’ve already delivered the microcode update for Variant 4 in beta form to OEM system manufacturers and system software vendors, and we expect it will be released into production BIOS and software updates over the coming weeks,” said Intel’s vice president of Product Assurance and Security.
Slowing it down
As we saw with previous Spectre and Meltdown patches, these new processor firmware updates could potentially reduce system performance too. Intel says the mitigations will “be set to off-by-default”, meaning users who don’t enable the new protections should not experience the negative impacts of the patch, but obviously won't be protected either.
Get the best Black Friday deals direct to your inbox, plus news, reviews, and more.
Sign up to be the first to know about unmissable Black Friday deals on top tech, plus get all your favorite TechRadar content.
“If enabled, we’ve observed a performance impact of approximately 2-8 percent based on overall scores for benchmarks like SYSmark 2014 SE and SPEC integer rate on client 1 and server 2 test systems,” Culbertson said.
This puts the proverbial ball into the end user’s court, leaving them to choose between security and speed.
While she's happiest with a camera in her hand, Sharmishta's main priority is being TechRadar's APAC Managing Editor, looking after the day-to-day functioning of the Australian, New Zealand and Singapore editions of the site, steering everything from news and reviews to ecommerce content like deals and coupon codes. While she loves reviewing cameras and lenses when she can, she's also an avid reader and has become quite the expert on ereaders and E Ink writing tablets, having appeared on Singaporean radio to talk about these underrated devices. Other than her duties at TechRadar, she's also the Managing Editor of the Australian edition of Digital Camera World, and writes for Tom's Guide and T3.