Microsoft and Intel Disclose Spectre-like CPU Flaw That May Result in Further Performance Loss

A Spectre-like variant known as Speculative Store Bypass is largely mitigated by browser updates, but could still present a risk to users. Consumers can choose to enable a firmware update but will take a performance hit of 2-8%.

Computer Security Wikicommons e

When were disclosed, it became clear that this wouldn't be the end of it. As well as the significant updates and patches, there was the likelihood of variants that hadn't been discovered.

An announcement by , , and starts to show the scope of the problem. Speculative Store Bypass (Variant 4) is a similar flaw that takes advantage of shortcuts in modern CPUs. This means that existing mitigations in Chrome, and Edge will work, but like Spectre it will require firmware updates.

According to Intel, those updates could affect performance by up to 8%. Thankfully, the variant doesn't seem to be as severe as others, so the chipmaker is giving users an option. The protection will be off by default, and you can choose between and performance.

More Flaws to Come?

This raises a number of questions. It's not clear if regular consumers have the knowledge to decide if the mitigation is neccessary. If they do need to enable it, is it unfair that they're getting worse performance than they paid for?

Intel doesn't seem to think so, and there's allegedly seven more flaws in the wild. For its part, Microsoft is helping to push the updates out to OEMs and users. It says it discovered the flaw as early as November 2017, but was working with others to coordinate disclosure.

“On May 21st, a new subclass of speculative execution side channel vulnerabilities known as Speculative Store Bypass (SSB) has been announced and assigned CVE-2018-3639,” said a spokesperson. “At the time of publication, we are not aware of any exploitable code patterns of this vulnerability class in our or service infrastructure, but we are continuing to investigate.”

If it does find vulnerable code patterns, Microsoft is committed to addressing it to a security . It's working with Intel and AMD to assess the performance impact of the mitigation.