Tech giants reveal new variant of Meltdown and Spectre vulns
Intel and Microsoft have revealed a new variant of the Meltdown and Spectre chip vulnerabilities that have plagued their products in recent months. The new vulnerability, dubbed “Variant 4,” can be exploited through JavaScript in a web browser to steal data.
Like the Meltdown and Spectre vulnerabilities, “Variant 4 uses speculative execution, a feature common to most modern processor architectures, to potentially expose certain kinds of data through a side channel,” Leslie Culbertson, an executive vice president at Intel, wrote in a blog post.
Intel isn’t aware of any exploits of Variant 4 in the wild, Culbertson said, crediting the company’s expanded bug bounty program for boosting security. In a security advisory published Monday, Microsoft said that it wasn’t “aware of any exploitable code patterns of this vulnerability class in our software or cloud service infrastructure, but we are continuing to investigate.”
The Spectre (Variants 1 and 2) and Meltdown (Variant 3) vulnerabilities, discovered by Google’s Project Zero and made public in January, affected virtually all modern computer chips. Meltdown could let hackers get around a barrier between applications and computer memory to steal sensitive data, while Spectre spoofs applications into spilling key information.
Some mitigating measures for Spectre also are applicable to Variant 4, according to Intel. But to prevent the vulnerability from being exploited in other ways, Intel and others are providing microcode and software updates, the chip giant said. Intel plans to release those software updates in “the coming weeks,” according to Culbertson.
The Department of Homeland Security on Monday also issued an alert on Variant 4, advising affected computer users to carefully test patches before applying them and to then monitor the performance of critical services and applications.
The recovery process for Spectre and Meltdown has been rocky, with one round of firmware updates causing computers to reboot and another patch introducing a new vulnerability altogether. Intel said the effect of Variant 4 mitigation on computing performance will depend on workload, how a platform is configured, and the type of mitigation measure employed.