Ghost in the machine: What you need to know about Spectre Variant 4

22 May 2018

Image: Warat42/Shutterstock

Microsoft and Google have disclosed a flaw known as Spectre Variant 4 that could leave any chip on any 21st-century computer open to attack.

The ghosts of Spectre and Meltdown have returned to haunt the computing world with news that Microsoft and Google have revealed a new CPU vulnerability called Spectre Variant 4.

Earlier this year, the world learned of the Spectre and Meltdown flaws that existed on popular processing chips made by Intel, AMD and ARM, and left nearly all computers and phones worldwide potentially vulnerable to attacks by hackers.

The latest vulnerability is understood to be a similar exploit to Spectre, which was a bug that broke down the isolation between different applications, and tricked computer programs or apps into revealing their secrets.

What is Spectre Variant 4?

Referred to as the Speculative Store Bypass by Intel, Spectre Variant 4 exploits speculative execution methods that modern CPUs use. This is an optimisation technique to expose different kinds of data and can run through browsers via runtimes such as JavaScript.

The flaw could also be exploited through browsers such as Safari, Edge and Chrome that were previously updated with patches to tackle Meltdown and Spectre.

As Google Project Zero security researcher Jann Horn has revealed, armed with the right code, a hacker can use the technique to pull data from a system.

In English, please?

Well, it is a new flaw that could be exploited by hackers who know what they are doing to expose data on a machine, but there is no evidence that they have done so yet. A fix or a patch could potentially mean that the performance of your device could be slowed down by between 2pc and 8pc, but that is just speculation until a fix is revealed.

The bug was discovered last November by Microsoft, which worked with industry to find a fix and is now jointly disclosing it with Google.

In plain English, it means a skilled hacker can use the flaw to attack any computer running any operating system (OS).

So, is my computer safe?

No computer is safe, apparently, so it is a bit of a race against time regarding how patches are circulated and how quickly hackers can get up to speed.

The chances are, the industry is playing it safe by disclosing the flaw and alerting people to be ready for whatever fixes become available.

The flaw does not solely affect Intel chips; it also affects AMD and ARM processors, too.

Intel said it will release firmware updates to most OS and browser vendors such as Microsoft, Google and Apple in the coming weeks.

What can I do about it?

Nothing, for now. Just keep your security software up to date and activate any updates that become available for your OS on your device.

Wait, what was Meltdown and Spectre again?

The Meltdown bug concerned laptops, desktop computers and internet servers that have Intel chips. It breaks down the most fundamental isolation between user applications and the OS. The attack therefore allows a program to access the memory and other secrets of programs and the OS.

Spectre is a bug that breaks the isolation between different applications. This potentially allows hackers to trick error-free programs that normally follow best practices into leaking their secrets. By trying to do the right thing following best practices, applications only end up increasing the attack surface, making more applications vulnerable.

Speculative Store Bypass is the fourth variant of the Spectre bug to emerge since January.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years