When Meltdown and Spectre were disclosed, it became clear that this wouldn’t be the end of it. As well as the significant updates and patches, there was the likelihood of variants that hadn’t been discovered.
An announcement by Microsoft, Intel, and Google starts to show the scope of the problem. Speculative Store Bypass (Variant 4) is a similar flaw that takes advantage of shortcuts in modern CPUs. This means that existing mitigations in Chrome, Firefox and Edge will work, but like Spectre it will require firmware updates.
According to Intel, those updates could affect performance by up to 8%. Thankfully, the variant doesn’t seem to be as severe as others, so the chipmaker is giving users an option. The protection will be off by default, and you can choose between security and performance.
More Flaws to Come?
This raises a number of questions. It’s not clear if regular consumers have the knowledge to decide if the mitigation is neccessary. If they do need to enable it, is it unfair that they’re getting worse performance than they paid for?
Intel doesn’t seem to think so, and there’s allegedly seven more flaws in the wild. For its part, Microsoft is helping to push the updates out to OEMs and Windows users. It says it discovered the flaw as early as November 2017, but was working with others to coordinate disclosure.
“On May 21st, a new subclass of speculative execution side channel vulnerabilities known as Speculative Store Bypass (SSB) has been announced and assigned CVE-2018-3639,” said a spokesperson. “At the time of publication, we are not aware of any exploitable code patterns of this vulnerability class in our software or cloud service infrastructure, but we are continuing to investigate.”
If it does find vulnerable code patterns, Microsoft is committed to addressing it to a security update. It’s working with Intel and AMD to assess the performance impact of the mitigation.