Google and Microsoft have disclosed a new variant of CPU security flaw similar to the Spectre and Meltdown, which was revealed back in January this year.
Named Speculative Store Bypass (variant 4), the latest CPU bug was disclosed earlier this month by a German computer science publication. Like the old Spectre and Meltdown bugs, this new variant exploits similar vulnerabilities but uses a different method to extract sensitive information. If hackers can successfully utilize this vulnerability on any program such, which can be done by running script files or text files containing a sequence of commands, they can easily get sensitive information off other parts of that program.
In a blog post, Intel said that the company offered patches for the previous vulnerability in January, which can be applicable to variant 4 as well. Besides, they are offering an additional patch for variant 4, which is a mixture of software updates and microcode.
“We’ve already delivered the microcode update for Variant 4 in beta form to OEM system manufacturers and system software vendors, and we expect it will be released into production BIOS and software updates over the coming weeks,” said Intel’s security chief Leslie Culbertson.
Patch can degrade performance
Similar to the previous Spectre and Meltdown mitigations, this new vulnerability fixes could potentially reduce the CPU performance. According to Intel, this fix will be set to off-by-default, means it’s completely up to the users whether they want to enable the new protection.
“If enabled, we’ve observed a performance impact of approximately 2-8 percent based on overall scores for benchmarks like SYSmark 2014 SE and SPEC integer rate on client 1 and server 2 test systems,” Culbertson said.
If you run the patch, it will degrade the performance of your processor. If you don’t, you won’t be protected anymore. So, you have to choose one between security and speed.