Google and Microsoft joined forces to announce a newfound CPU security flaw
Microsoft and Google have disclosed a new CPU security vulnerability that is eerily similar to the Meltdown and Spectre flaws that were announced earlier this year by Microsoft. The United States Computer Emergency Readiness Team refers to the flaws as Variant 3a: Rogue System Register Read and Variant 4: Speculative Store Bypass. The US-CERT website states:
Variant 3a is a vulnerability that may allow an attacker with local access to speculatively read system parameters via side-channel analysis and obtain sensitive information.
Variant 4 is a vulnerability that exploits “speculative bypass.” When exploited, Variant 4 could allow an attacker to read older memory values in a CPU’s stack or other memory locations. While implementation is complex, this side-channel vulnerability could allow less privileged code to
- Read arbitrary privileged data; and
- Run older commands speculatively, resulting in cache allocations that could be used to exfiltrate data by standard side-channel methods.¹
This new vulnerability doesn’t just include a patch, but also a firmware update. While it will be set to off-by-default and not immediately cause any slowing down of systems, it also won’t offer any protection. Intel has found that if the firmware update is enabled, the performance impact to CPUs is approximately 2-8%.
System admins and users are going to have to make the difficult choice between system security and optimal performance. It does appear that these new variants are less of a risk than Meltdown and Spectre, but if you are very concerned about security, or if you happen to have a lot of sensitive data, this firmware may need to be enabled. This is especially important now that this information has been announced and hackers that didn’t know about it before certainly do now.
Intel is no slouch when it comes to product defects and is already preparing its own CPU changes for the future. They’re currently redesigning their processors to protect against attacks like Specter and Variant 4 in the future. Expect to find those protections to be part of Intel’s next-gen Xeon processor. You’ll also see these updated protections applied to 8th generation Intel Core CPUs that will ship out later this year.
As always, if we can be of help with your network, give us a call here at RHYNO Networks. (855) 749-6648