Intel found a new derivative of the Spectre security flaw in its chipset. And while this one isn’t as serious from a security perspective, its fix could further impact PC performance.
“We have not seen any reports of this method being used in real-world exploits,” Intel’s Leslie Culbertson explains. “Moreover, there are multiple ways for consumers and IT professionals to safeguard their systems against potential exploits, including browser-based mitigations that have already been deployed and are available for use today.”
Spectre Variant 4, as this new derivative is called, uses a common feature in modern processors called speculative execution to “potentially expose certain kinds of data through a side channel,” Intel says, noting that the most common avenue for a successful exploit—which has not happened—is in web browsers. AMD and ARM-based chipsets are also impacted.
There is good news. Back in January, PC makers began deploying firmware updates to their customers that included a mitigation for Spectre Variant 1, and that mitigation is effective against this new derivative as well.
The bad news, while very much expected, is that Variant 4 will still require its own fix to be completely contained. This fix will require a combination of firmware and software updates, Intel says. As such, it will be delivered, on PCs, via Microsoft’s Windows Update and through the software that PC makers supply for driver updates.
For this reason, the new Spectre variant was jointly disclosed by Microsoft and Google, and platform makers like AMD, ARM, and Red Hat have also issued announcements as well.
In the PC space, Microsoft has a dual responsibility: It will deliver software updates to all PCs via Windows through Windows Update. And its Surface PCs will require new firmware updates to address the derivative.
“These vulnerabilities affect many modern devices including Surface devices,” Microsoft’s Brandon Records says. “In addition to the operating system updates, Surface will be making available firmware updates to address these new vulnerabilities.”
Naturally, one wonders about the potential performance impact of further fixes. Intel says that it will let customers determine whether to enable the new mitigation in their own PCs since the security threat is low. It expects most PC makers to leave it disabled by default as well.
“In this configuration, we have observed no performance impact,” Intel notes. “If enabled, we’ve observed a performance impact of approximately 2 to 8 percent based on benchmark scores.”