After the disclosure of Meltdown and Spectre, Microsoft and Google promptly shed light on Speculative Store Bypass (variant 4), the latest vulnerability in a string of CPU flaws. Much like Intel’s buggy Spectre patches, the latest fix quells variant 4, but at the price of slowing some systems down by up to 8 percent.
Intel revealed that the Meltdown-mitigating patch for Safari, Edge, and Chrome “are also applicable to variant 4 and available for consumers to use today,” meaning that users needn’t worry about security issues.
The bolstered security might come at the impact of performance, however, as Intel’s security chief, Leslie Culbertson has revealed that it “observed a performance impact of approximately 2-8 percent based on overall scores for benchmarks like SYSmark 2014 SE and SPEC integer rate on client 1 and server 2 test systems.”
Speculative Store Bypass (variant 4) is considered less of a security risk than the other three variants, affording the opportunity for users to choose between security and performance depending on the system and server.
“We are continuing to work with affected chip manufacturers and have already released defense-in-depth mitigations to address speculative execution vulnerabilities across our products and services,” says a Microsoft spokesperson, possibly referencing its continued efforts in bug bounties, collaboration with processor manufacturers and distribution of fixes.
“We’re not aware of any instance of this vulnerability class affecting Windows or our cloud service infrastructure,” continues Microsoft. “We are committed to providing further mitigations to our customers as soon as they are available, and our standard policy for issues of low risk is to provide remediation via our Update Tuesday schedule.”
Intel’s latest patch, which remains in beta form to OEMs, will ensure that the patch is set to off-by-default, creating an opt-in system regarding negative performance impacts in favour of security. This should be available via BIOS updates in the coming weeks.
In the meantime, Intel is still working on its Spectre-proof CPUs, with future processors housing built-in hardware to protect against the attacks.
KitGuru Says: While it’s disappointing to see so many flaws come to light at once, it’s impressive to see so many companies banding together in an effort to properly disclose the issues and help with a fix. In my opinion, security should almost always come before performance, however it looks like variant 4 doesn’t pose too much of a threat to the general user.