Google and Microsoft have warned of a fresh vulnerability affecting vast numbers of modern processors. It resembles the Meltdown and Spectre bugs revealed in January this year that had Intel and other processor makers scrambling to secure their chips.
The flaw, known as the Speculative Store Buffer Bypass or Variant 4, is exploitable via a website hosting malicious code and allows for the theft of sensitive data such as passwords and banking data, making it particularly pressing. But Microsoft said it was a "low" risk and Intel confirmed no exploits were in the wild. Because of those facts, and a possible degradation in performance thanks to the planned updates, chip makers aren't planning on pushing the fixes particularly hard at customers.
A new Spectre explained
Just as with the Spectre flaw of January, the latest hack exploits something called "speculative execution." A quick primer: when software is chucking instructions at the microprocessor, the chip determines what information needs storing in external memory. Writing information to such external memory, typically in memory banks known as dynamic random access memory (DRAM) chips, is time intensive. So to speed things up, the chip will shift those processes to a buffer, whilst looking ahead to others that it can deal with in the meantime. Whatever is in the buffer will be later written to memory.
All this ensures optimal use of different processor cores. But it comes with complications. For instance, what if an instruction being handled by the chip requires data that's in memory, but which should have been updated by what's in the buffer? It would use the wrong information within the DRAM, and so the "speculation" that the instruction should use what's in memory is wrong. And so those false speculations have to be dumped and the whole thing started from scratch.
In most cases, the speculations are correct, so the acceptance of the occasional error is worth it when looking at the overall speed of a processor. But, unfortunately, speculative execution is carried out in a shared, unsecured area. That's what's at the heart of the Speculative Store Buffer Bypass: a malicious, unauthorized application can see what's happening in a speculation process and manipulate it.
For instance, in one attack scenario, malicious code would go through the process of speculative execution. It would contain instructions asking for data from a memory cache, though it in fact should be taking information from something going through the buffer, hence the "bypass" in the vulnerability title. The whole process will eventually be dumped and re-executed when the speculative execution is deemed false. But by that point it doesn't matter: the malware has already gained some access to the memory cache. Repeating the process could let the attacker get enough information from caches to piece together something useful, like a password or credit card details supposed to be accessible only to other, authorized applications.
Secure your chips
The bug affects all manner of CPUs, including AMD, ARM, IBM, Intel, POWER8, POWER9 and SystemZ series.
Alongside Google and Microsoft, Intel, AMD and Red Hat have issued advisories. Intel played down the issue, saying fixes that came in the aftermath of Meltdown and Spectre go some way to dealing with the problems. But it would still release further updates "over the coming weeks."
Users will have to turn those updates on, however, as they will be "off-by-default." That could be because of the downgrade in performance from those updates, which would land at somewhere between 2% and 8%, Intel said.
AMD recommended users stick to default settings, however. "Based on the difficulty to exploit the vulnerability, AMD and our ecosystem partners currently recommend using the default setting that maintains support for memory disambiguation," the company wrote.
It's a rare case where users aren't being rushed into installing patches, but asked to make their own risk assessment.