Very often a significant security flaw is followed by new derivatives of the same exploit. Following the widely popular Spectre and Meltdown speculative execution attacks, there were predictions that more flaws of similar nature will hit PC owners pretty soon.
Variant 4 is the newest addition to this increasing list of vulnerabilities. In a new blog post, Intel has published details of the exploit. As per the company, Variant 4 has been demonstrated in a language-based runtime environment–JavaScript in web browsers, to be precise. However, any evidence of any real-life exploit hasn’t been found.
The blog further states that the mitigations shipped for Variant 1 by most leading browsers have made the Variant 4 exploit difficult. However, for complete protection, the company is working with different partners to ship software and microcode updates.
Variant 4 has been classified as a medium severity risk by Intel and Google’s Project Zero; Microsoft has published a security advisory as well. Initial Linux patches have also been freshly baked.
It’s worth noting that the upcoming fix will be off by default and vendors will have to make the final decision of enabling it. The company also acknowledged that the performance of systems could witness a decline between 2-8%.
The post also mentions microcode fix for Variant 3a, which was documented by Arm in January, hasn’t resulted in any performance hit. The company plans to bundle both updates together.
What are your views on this development? Share your thoughts and keep reading Fossbytes.
