Dive Brief:
-
The ghosts of Meltdown and Spectre are still haunting modern microchips dubbed Speculative Store Bypass or Variant 4, reports Reuters. Chips are impacted from Intel, AMD and ARM, but researchers from Microsoft and Google said the nature of any risk is relatively low due to previously issued patches.
-
Variant 4 takes advantage of "speculative bypass," which grants a hacker access to stored memory in a CPU's stack, according to the United States Computer Emergency Readiness Team. If an attacker were to successfully exploit the bypass it would allow "less privileged code to read arbitrary privileged data and run older commands speculatively."
- At the time of their published findings, Microsoft security researchers "are not aware of any exploitable code patterns of this vulnerability class" in its software or cloud infrastructure, according to Microsoft's Security Advisory. The company, alongside Intel and AMD, have implemented new support for customers. Intel said that most browser providers have "mitigations in their Managed Runtimes" that "substantially increase the difficulty" of carrying out the exploit.
Dive Insight:
Through speculative execution, the original Meltdown and Spectre flaws could effectively read a computer's secrets dating back about two decades. And while these variants are new, the underlying flaws remain the same and require further microcode updates, said Neil MacDonald, VP distinguished analyst for Gartner, in an interview with CIO Dive.
While "there's no need to panic," the latest variants only highlight the reality of future variants, said MacDonald. The flaws will continue to exist until the hardware is completely replaced. Patches and updates only help mitigate risk.
Earlier this month, eight more flaws associated with the original vulnerabilities were reported by German researchers. However, Intel at the time did not confirm or deny the revelations. Instead, Intel assured customers it was continuing to work with other industry partners to cultivate and deploy new security updates.
Intel's chips were not the only ones to face the vulnerabilities head on, but the company took the brunt of public backlash, perhaps due its somewhat tepid initial responses. CEO Brian Krzanich said that the company was performing a redesign of processors with the addition of partitions to defend future chips against exploit variants.
Because Meltdown effectively took down any barriers to protecting the processor, these new "protective walls" could successfully block a hacker from gaining entry. But because Intel chips are an industry standard and implemented in the devices from vendors like Microsoft and Google, the whole industry got involved.
Microsoft and Google had to issue security patches early this year that initially gave users an "unbootable" device. But as long as products put performance over security, flaws will continue to be unveiled.
MacDonald airs on the side of caution for deploying patches too quickly. As showcased in January, companies that were too quick to patch subsequently suffered more problems because "the cure was worse than the disease."
