Researchers reveal fourth variant of Specter and Meltdown leaks

Researchers at Microsoft and Google’s Project Zero have released information about a new vulnerability, a so-called fourth variant of the Meltdown and Specter vulnerabilities, which can cause security issues especially when using certain browsers.

Microsoft and Google speak of a new underclass of vulnerabilities, called speculative store bypass. Like the previous vulnerabilities, this vulnerability is based on speculative execution. According to Intel, this fourth variant was demonstrated in a language-based runtime environment. An example of this is Javascript. A web browser is constantly running Javascript code.

Intel says that the patches already released for the earlier variants will also work for the new fourth variant, but despite this, the company has already released microcode and software updates specifically for the fourth variant. Certain vulnerabilities are disabled by default, so users must manually enable them. Intel says it expects motherboard manufacturers to make patches available in the form of bios updates in the coming weeks. These can have a negative impact of 2 to 8 percent on performance. AMD and ARM also come with patches.

The Specter and Meltdown vulnerabilities were revealed in January and allow kernel memory readouts. Meltdown almost exclusively affects Intel processors, while Specter also affects ARM and AMD, among others. Meltdown allows the reading of kernel memory, while with Specter this applies to processes.