Bad news, consumers—there’s a new chip-based security vulnerability you need to watch out for. On May 21, Microsoft and Intel made a joint announcement disclosing what’s being called “Variant 4.”
This new issue has a lot of similarities to Spectre and Meltdown. Like Spectre and Meltdown, Variant 4 is a type of bug called a Speculative Store Bypass. This vulnerability can be used to access files and private info on your device. Meltdown, Spectre and Variant 4 also have another thing in common: the basis for these vulnerabilities is built into hundreds of millions of chips used in computers and mobile devices.
What’s different about Variant 4 is simply the way it’s exploited. We won’t go into technical details, but CNET says it “could allow your processor to load sensitive data to potentially insecure spaces.” The word could is key. It doesn’t seem that Variant 4 has been used in the wild…yet. However, now that it’s out in the open, it’s entirely possible hackers will be working overtime to give it a try.
What devices are impacted?
Most modern devices that have Intel, AMD or ARM processors, including mobile devices.
What can you do?
In some ways, there’s nothing to do. Variant 4 is a “flavor” of vulnerability that gets exploited in certain browser languages used by Chrome, Firefox, and Edge—just like with Spectre. Since patches were already put in place for Spectre (months ago, assuming your browser is up to date), and since Variant 4 is literally a variation on that bug, this means nothing new is required…but here’s where things get a little complicated.
Unlike Spectre, there is a firmware update for Variant 4 for Intel machines. You can download the update to be more secure, however there is a down side: the available fix could slow down your machine. TechCrunch is reporting the fix caused a 2 to 8 percent hit to performance in Intel’s own tests. As a result, the fix is one you have to choose to turn on once you download it (by default it’s off). Intel is letting manufacturers and consumers make a decision about whether they want to have a potentially slower but safer computer. AMD isn’t offering a specific firmware update at the time of this writing.
Full disclosure: we would always encourage our customers to run the latest updates on their devices.
Keep an eye out for more information about this vulnerability since the situation is still developing—and watch for any new ones that are discovered in this same Speculative Store Bypass family. If they’ve found four variations so far, it’s entirely possible they’ll discover more.