Intel is finally confirming that its computer processors are vulnerable to an additional variant of Spectre, the nasty security vulnerability that affects nearly every CPU currently in devices and in the marketplace.
German computing magazine C’t first reported the additional flaws, which can be exploited in a browser setting using a runtime (think Javascript), on May 3. When we reached out to CPU makers, including Intel and AMD, at that time they declined to comment. Instead they made loose allusions to an embargo – which is when companies (as well as security researchers and often journalists) withhold information until an agreed upon time.
But that didn’t stop Germany from taking the newly reported threats seriously. Last week, the country’s Federal Office for Information Security (BSI) asked that the makers of the affected CPUs fix the flaws as soon as possible and issued a warning to consumers in defiance of the embargo.
Gizmodo was not privy to this embargo or the details within it. However, now Intel is confirming C’t’s report. In a blog post Leslie Culbertson, executive vice president and general manager of Product Assurance and Security at Intel, confirmed that additional vulnerabilities did exist.
The vulnerabilities appear to be of the Spectre variety, which takes advantage of speculative computing – a computing practice used by almost all modern microprocessors. Called Variant 4, this new exploit can be used in a browser. Thankfully all major browser makers, including Chrome and Firefox should be patched for the vulnerability. So make sure you’re browser is up to date and stays up to date.
A patch for the vulnerability is expected to be released by most major computer makers in the coming weeks and a beta of the patch has already been released to those manufacturers.
As for how much the patch will slow down your computer, in testing Intel has “observed a performance impact of approximately 2 to 8 per cent.” That should be negligible to most people, but it definitely adds up when you consider the previous patches, which also reportedly slowed computers down incrementally.
What this ultimately confirms is that CPU makers need to learn a new way to perform speculative processing or these vulnerabilities will continue to occur; CPU makers will continue to brag about the speeds of their CPUs, and then they will continue to be forced to patch, and essentially throttle, those CPUs after release. If you’re in CPU academia or the security research field, this is an exciting time. If you’re an engineer at Intel, it’s considerably less so.
Besides Intel, AMD and ARM have also confirmed they are subject to the vulnerability, which means the same good security practice rules apply to people with AMD-powered computers or ARM-based phones (both Qualcomm and Apple mobile processors are based on ARM). Keep everything updated, even if it feels like a chore.
Leave a Reply