UPDATED 22:38 EST / MAY 21 2018

INFRA

Four and counting: Google and Microsoft reveal another Spectre chip vulnerability

Google Inc. and Microsoft Corp. today revealed yet another Spectre vulnerability that uses some of the same methods used in the first three variants but with a slight twist.

The Spectre and related Meltdown vulnerabilities, first revealed in January, give malicious actors access to data running through the central processing unit chip, meaning that potentially any data on an unpatched device is at risk. The vulnerabilities, also found in some Advanced Micro Devices Inc. and ARM Holdings Ltd. chips, involves the ability to run a “Speculative Execution Side-Channel Attack,” a compromise of the privileged memory of CPUs.

Variant 4, formally called CVE-2018-3639 – Speculative Store Bypass, involves speculative execution of memory reads before the addresses of all prior memory writes are known, potentially allowing unauthorized disclosure of information to an attacker with local user access via a side-channel analysis. To put it less technically: Like all the variants before it, it gives a hacker access to a computer via a logic problem in the CPU.

For Intel, Spectre has been a ghost that, no matter how hard the company tries to banish it, keeps coming back to haunt it. But the good news is that Spectre Variant 4 has been rated only as a moderate risk because a number of previously issued Spectre patches partially protect against it, particularly attacks via web browsers.

In any case, patches are on their way. Leslie Culbertson, executive vice president and general manager of product assurance and security at Intel, wrote that “we’ve already delivered the microcode update for Variant 4 in beta form to OEM system manufacturers and system software vendors, and we expect it will be released into production BIOS and software updates over the coming weeks.”

Because of concerns about the patches causing system issues, which happened with previous Spectre fixes, Culbertson noted that they will be set to off-by-default, “providing customers the choice of whether to enable it. We expect most industry software partners will likewise use the default-off option.”

None of this worried investors, perhaps because Spectre patches are becoming as common as companies exposing their private data on misconfigured AWS instances. Intel shares actually closing the day up 1.5 percent, $54.32, on a day when the Dow Jones Industrial Average rose 1.2 percent and the Nasdaq was up three-quarters of a point.

Image: TheDigitalArtist/Pixabay

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU