Spectre 3a and Spectre 4 Unfortunately Announced...
Subject: Processors | May 22, 2018 - 07:51 PM | Scott Michaud
Tagged: x86, arm, Intel, amd, spectre
Security researchers at Microsoft and Google have found two new vulnerabilities along the lines of the Spectre and Meltdown bugs from early January. These are being called Spectre 3a (Rogue System Register Read) and Spectre 4 (Speculative Store Bypass). Like last time, hardware and software vendors have addressed the issues, which will be coming down via OS updates.
Naturally, James Bond will steal information when there's Intel Inside.
On the AMD side of things, they claim that the Spectre 4 vulnerability will be patched as far back as Bulldozer (2011). They also claim that no action will be necessary, at least to their knowledge, for Spectre 3a on their x86 parts. They have also released a short, five-page whitepaper discussing the issue.
On the Intel side of things… a security bulletin has been posted for CPUs as far back as Nehalem. They don’t exactly clarify which processors are susceptible to which vulnerabilities, but they acknowledge that both Spectre 3a and Spectre 4 touch something on their product stack to some extent. They have submitted a beta microcode update to OS vendors, which they expect to be production ready “in the coming weeks”.
ARM is also affected to some extent. They have published a table that lists which architectures are vulnerable to what exploit. Interestingly, there are some processors that are vulnerable to 3a, but not 4, and others that are vulnerable to 4, but not 3a (and, of course, some that are vulnerable to both and neither). Since these exploits are based on optimizations gone awry, you would think that it would have built up over time, but that doesn’t seem to be the case. The only pattern I could notice is that Variant 4 only affects newish 64-bit ARM processors. I don’t know if that’s a red herring, or a well-known corollary of the bug that I just don’t know enough about, but it’s about all that I can see.
Regardless, expect patches soon, which might, again, lower performance by some amount.