The ghosts of the Meltdown and Spectre will haunt the computing industry for years to come. But now that the initial patching efforts for those CPU flaws are drawing to an end, Google and Microsoft have disclosed a related “speculative execution” attack dubbed Speculative Store Bypass, or simply Variant 4. (Meltdown and the two Spectre flaws were the first three variants.) Don’t panic though.
Let’s start with the bad news: Speculative Store Bypass affects Intel, AMD, and ARM chips, meaning mobile devices are also affected. But fortunately, Variant 4 attacks runtime languages in browsers like Chrome, Firefox, and Edge—just like one of the previous Spectre attacks. “Starting in January, most leading browser providers deployed mitigations for Variant 1 in their managed runtimes – mitigations that substantially increase the difficulty of exploiting side channels in a web browser,” Intel’s Leslie Culbertson says. “These mitigations are also applicable to Variant 4 and available for consumers to use today.”
Keep your browser up to date and you’re good to go, in other words. If you've been installing updates as they arrive, you’re probably already as protected as you can be against the Speculative Store Bypass at this point—but that’s not fully protected yet.
Fully mitigating the issue on Intel processors requires a mixture of software and CPU firmware updates, similar to Spectre. Intel says it’s already shipped microcode patches for Variant 4 to its hardware partners in beta form, and the company expects new motherboard BIOSes containing the fix to start rolling out “over the coming weeks.” But it seems like Intel thinks the browser fixes alone are protection enough, as the company says that the new firmware will ship with the Speculative Store Bypass mitigation disabled by default. You have to choose to manually enable it, which makes this fix feel a bit like public relations theater by Intel.
“If enabled, we’ve observed a performance impact of approximately 2 to 8 percent based on overall scores for benchmarks like SYSmark® 2014 SE and SPEC integer rate on client and server test systems,” Intel says. Previous Spectre-related firmware patches already dragged down PC performance, especially in storage and other I/O-intensive tasks.
The mitigation for AMD processors involves operating system patches alone, with no Speculative Store Bypass firmware updates planned.
Keeping your browser up to date is just part of staying safe in a post-Meltdown world. Check out PCWorld’s guide on how to protect your PC against Meltdown and Spectre for the full details, and be sure to keep your antivirus active. While Intel says it isn’t aware of a successful browser-based attack, security researchers have detected code samples attempting to leveraging the CPU exploits. Would-be hackers need to be able to run code on your PC to trigger the CPU flaws, so keeping your browser updated and antivirus vigilant can help protect against it. PCWorld’s guide to the best antivirus software can help you find the right security for your needs.