Get the Lowest Prices anywhere on Macs, iPads and Apple Watches: Apple Price Guides updated December 9th
 

 

Intel promises fix for new 'Variant 4' Meltdown, Spectre vulnerability

Industry woes over Meltdown and Spectre continued this week when Google and Microsoft on Monday revealed a newly discovered silicon-level vulnerability impacting chips used in millions of computers, including those marketed by Apple.




Dubbed "Variant 4," or Speculative Store Bypass, the latest security flaw is part of the original family of Meltdown and Spectre vulnerabilities made public in January. Intel disclosed the vulnerability in a blog post on Monday.

Similar to Spectre, Variant 4 takes advantage of speculative executions to grant nefarious actors access to sensitive information stored in system memory. The new strain, however, warrants its own designation because it uses a different mechanism to extract said data.

As noted by CNET, Intel categorizes Variant 4 as a moderate risk, saying many of the exploits used to gather sensitive information were fixed in web browser patches pushed out earlier this year to deal with Spectre.

Intel intends to issue a fix for Variant 4 in the coming weeks. Due to the relative low risk of attack in real-world scenarios, the company will ship the patches turned off by default, reports Reuters. Users can enable the fix manually, though running the patch is expected to result in a processor performance slowdown of between 2 percent and 8 percent.

ARM and AMD are also issuing patches for their respective chips, with AMD also advising users leave the fix disabled due to the inherent difficulty of performing a successful attack, the report said.

Whether today's disclosure is related to a set of eight new vulnerabilities uncovered earlier this month is unclear. According to German publication c't, seven of the flaws are similar to Spectre, while an eighth could allow a hacker to launch an exploit in a virtual machine to attack its host system.

Meltdown and Spectre exploit "speculative executive," a modern CPU feature designed to improve operating speed by executing multiple instructions at the same time.

"To increase performance, the CPU predicts which path of a branch is most likely to be taken, and will speculatively continue execution down that path even before the branch is completed," Apple explained in a January statement. "If the prediction was wrong, this speculative execution is rolled back in a way that is intended to be invisible to software."

Though the processes are supposed to be inaccessible by applications and end users, Google researchers discovered that speculative executions could potentially be used to gain access to sensitive information.

Initially thought to be limited to Intel silicon, Meltdown and Spectre were found to affect all modern processors, including ARM-based chips like Apple's A-series SoCs. Shortly after initial reports went live, Apple issued a statement confirming all Mac and iOS CPUs are impacted by the security flaw.