Variant 4 vulnerability: Spectre continues to haunt Intel, AMD, ARM

By JC Torres/May 21, 2018 11:09 pm EST

2018 immediately started off on the wrong foot for Intel and, consequently, the computing industry at large. Meltdown and Spectre vulnerabilities plagued modern processors, mostly from Intel but also from its rivals, even on some ARM chips. They can never be fully fixed without an entirely new CPU architecture, so all we're left with are mitigations to lessen the probability of an exploit. Even so, new variants still arise and a fourth one based on Spectre has just been found. Fortunately, at least for now, Intel says there's little reason to panic.

While Meltdown is more based on a race condition inherent in modern processors, the Spectre vulnerability takes its name from speculative execution. Processors are so smart that they try to predict what path a code may take. A wrong prediction, however, leaves some observable side effects (a spectre, so to speak) that could give attackers access to private data through a side channel.

Variant 4, which is the rather non-descriptive name Intel, Google, and Microsoft are giving to this vulnerability, works a lot like Spectre. It exploits speculative execution to get data through a side channel. And, like Spectre, the side channel in this case is a "language-based runtime environment", which often translates to JavaScript running in a Web browser.

So, yes, another strain of Spectre has been found. The good news is that Intel says it is not aware of any successful attempt at exploiting it yet. For one, many of the mitigations that have already been released for Variant 1 (original Spectre) are also applicable to Variant 4. But for good measure, Intel is still releasing a new microcode and software update for it.

That said, those mitigations, like all previous ones, do have a performance impact. Intel says it's as low as 2 to 8 percent, which may still be too high for some. Considering the extremely remote possibility of someone actually using the exploit, Intel will be turning the mitigation off by default when the update arrives, leaving users with the choice to turn it on themselves if they want to.