Knock Knock, it's Spectre!
Yet again, security researchers from Microsoft and Google's Project Zero have found a fourth variant of the Meltdown-Spectre security flaws that impacted almost all modern CPUs.
This new variant is dubbed Spectre-Next Generation or more simply as Variant 4 (CVE-2018-3639). Just like Variant 1 & 2, Variant 4 takes advantage of speculative execution to potentially expose sensitive data through a side channel. TheHackerNews tells us more about Speculative execution below:
This is good for general computers, since the CPU is constantly having different things thrown at it. The bad thing is that the design on this feature can be exploited to trick the CPU into revealing sensitive information. This can be anything ranging from passwords to encryption keys stored for disk encryption.
Unfortunately, since speculative execution is a feature in almost every modern processor, it can affect Intel, AMD and even ARM -- and it doesn't even stop there! IBM's Power 8, Power 9 and System z CPUs are also affected by this. To get a grasp on what and how this exploit can work, Red Hat Linux has provided us with a video:
Moreover, Intel has classified Variant 4 as "medium risk" since many of the exploits that Speculative Store Bypass attack would exploit were fixed by browsers like Safari, Edge, and Chrome during the last craze. From Intel:
And we haven't even gotten to the really bad news yet. According to some tests performed by Intel, you can expect a performance hit ranging from 2 to 8 percent. To keep as much performance as possible however, this new Variant 4 mitigation will be disabled by default, giving the users the unworldly "choice" of whether they want it on or not.