Tech giants reveal new variant of Meltdown and Spectre vulns

The new vulnerability, dubbed “Variant 4,” can be exploited through JavaScript in a web browser to steal data.
intel chip flaw
(Flickr user lungstruck // CC-BY-2.0)

Intel and Microsoft have revealed a new variant of the Meltdown and Spectre chip vulnerabilities that have plagued their products in recent months. The new vulnerability, dubbed “Variant 4,” can be exploited through JavaScript in a web browser to steal data.

Like the Meltdown and Spectre vulnerabilities, “Variant 4 uses speculative execution, a feature common to most modern processor architectures, to potentially expose certain kinds of data through a side channel,” Leslie Culbertson, an executive vice president at Intel, wrote in a blog post.

Intel isn’t aware of any exploits of Variant 4 in the wild, Culbertson said, crediting the company’s expanded bug bounty program for boosting security. In a security advisory published Monday, Microsoft said that it wasn’t “aware of any exploitable code patterns of this vulnerability class in our software or cloud service infrastructure, but we are continuing to investigate.”

The Spectre (Variants 1 and 2) and Meltdown (Variant 3) vulnerabilities, discovered by Google’s Project Zero and made public in January, affected virtually all modern computer chips. Meltdown could let hackers get around a barrier between applications and computer memory to steal sensitive data, while Spectre spoofs applications into spilling key information.


Some mitigating measures for Spectre also are applicable to Variant 4, according to Intel. But to prevent the vulnerability from being exploited in other ways, Intel and others are providing microcode and software updates, the chip giant said. Intel plans to release those software updates in “the coming weeks,” according to Culbertson.

The Department of Homeland Security on Monday also issued an alert on Variant 4, advising affected computer users to carefully test patches before applying them and to then monitor the performance of critical services and applications.

The recovery process for Spectre and Meltdown has been rocky, with one round of firmware updates causing computers to reboot and another patch introducing a new vulnerability altogether. Intel said the effect of Variant 4 mitigation on computing performance will depend on workload, how a platform is configured, and the type of mitigation measure employed.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts