The Spectre and Meltdown bugs seem to have morphed into horror movie monsters that just won’t die.
Microsoft and Google security researchers on Monday disclosed a new variant of the hardware vulnerabilities first uncovered in January. As with the original Spectre and Meltdown bugs, the latest chip problems — dubbed Speculative Store Bypass or Variant 4 — affect Intel, AMD, and ARM CPUs.
It’s unclear if the latest CPU flaws are the same ones first reported by German website Heise earlier this month.
In a security update, Microsoft classified the risk posed by Variant 4 as low. The researchers along with all three chipmakers say they aren’t aware of any real-world attacks using these methods.
Like the earlier CPU flaws, Variant 4 uses speculative execution to potentially give hackers access to sensitive data through a side channel. “When exploited, Variant 4 could allow an attacker to read older memory values in a CPU’s stack or other memory locations,” according to the U.S. Computer Emergency Readiness Team.
Most browsers already issued fixes for Spectre and Meltdown in January. “These mitigations are also applicable to Variant 4 and available for consumers to use today,” wrote Intel’s Leslie Culbertson in a blog post. “However, to ensure we offer the option for full mitigation and to prevent this method from being used in other ways, we and our industry partners are offering an additional mitigation for Variant 4, which is a combination of microcode and software updates.”
Intel already provided the microcode update for Variant 4 in beta form to OEM manufacturers and system software vendors, Culbertson added. “We expect it will be released into production BIOS and software updates over the coming weeks,” she wrote.
ARM published new support for customers and noted the “majority of ARM processors are not impacted by any variation of this side-channel speculation mechanism.”
The ARM security update also stressed the importance of basics like patching and software updates. Variant 4 “is dependent on malware running locally, which means it’s imperative for users to practice good security hygiene by keeping their software up-to-date and avoid suspicious links or downloads,” the update noted.
AMD said mitigations for the latest CPU flaws “are being provided by operating system updates back to the Family 15 processors.”