A fourth version of the Meltdown-Spectre vulnerability in processor chips has been demonstrated by Microsoft and Google according to reports published by researchers from both organisations.
The design faults within the chips could be exploited by malicious software when running on vulnerable devices or computers to extract personal and secretive data such as passwords from the protected application memory part within the processor.
The flaws result from the way computers try to anticipate what users will do next, a process called speculative execution. Patches are known to slow performance.
The first and second variants of the vulnerability are known as Spectre with codes of CVE-2017-5753 and CVE-2017-5715, while CVE-2017-5754 is the third variant named Meltdown. Microsoft has disclosed the fourth variant as CVE-2018-3639.
The vulnerability affects “out-of-order” processor cores from Intel, AMD and Arm; in addition, IBM’s Power 8, Power 9 and System z CPU’s.
Script files running within a program can potentially exploit the fourth variant including running JavaScript on a webpage in a browser tab as it extracts sensitive information from other parts of the web browser like personal details.
In a statement on Monday, Leslie Culbertson, Intel’s executive vice president and general manager of product assurance and security said: “We know that new categories of security exploits often follow a predictable lifecycle, which can include new derivatives of the original exploit.
She added: “Starting in January, most leading browser providers deployed mitigations for Variant 1 in their managed runtimes – mitigations that substantially increase the difficulty of exploiting side channels in a web browser. These mitigations are also applicable to Variant 4 and available for consumers to use today. However, to ensure we offer the option for full mitigation and to prevent this method from being used in other ways, we and our industry partners are offering an additional mitigation for Variant 4, which is a combination of microcode and software updates.”
“We’ve already delivered the microcode update for Variant 4 in beta form to OEM system manufacturers and system software vendors, and we expect it will be released into production BIOS and software updates over the coming weeks. This mitigation will be set to off-by-default, providing customers the choice of whether to enable it. We expect most industry software partners will likewise use the default-off option. In this configuration, we have observed no performance impact. If enabled, we’ve observed a performance impact of approximately 2 to 8 percent,” she concluded.
Speculative execution is a technique modern processors use to guess what data to work with while completing tasks instead of waiting to have the exact correct data. Meltdown, Spectre and Speculative Bypass flaws are all channels in the processor where attackers can take advantage of flaws such as how processors protect data and how it leaks out in different ways.
Joseph Carson, Chief Security Scientist at Thycotic told Computer Business Review in an emailed statement: “No surprises here, once a major vulnerability is found the world’s cybersecurity researchers will zoom in to find other possible variations and as expected we are starting to learn about more Meltdown and Spectre chip-level security flaws.”
He added: “This particular variant exploits the speculative Store Bypass attack commonly used in “Language-based runtime environments” used in web browsers for example JavaScript. Currently there is no permanent solution for these flaws (a nice way to avoid saying major security vulnerability) and everything we have seen so far is turn it off and accept reduced performance.”
“It is a bit like a car manufacturer telling you to “remember that car we sold you? Well the locks don’t really work so to keep it from being stolen you can no longer drive it at 70mph but now it is limited to 50mph. Sorry you can’t have fast performance and security at the same time so you must choose only one,” he concluded.
Rodney Joffe, SVP and Fellow at Neustar added: “These new Spectre vulnerabilities – both from a hardware and software perspective – can allow attackers to obtain access to sensitive information on affected systems. They are vulnerable to side-channel attacks and can result in destroyed security hardware, as well as vulnerable software.”
He added: “Unfortunately patches will be left off by default – leaving organisations at risk. This is why it is critical that security teams are in immediate contact with their hardware and software vendors for patches or microcode, that they use a test environment to verify each patch before implementing, and they ensure that performance is monitored for critical applications and services. There is a fundamental vulnerability in core chips and organisations need to know that they need to plan for patching and attacks are going to continue.”