New Spectre-Type Vulnerabilities Confirmed: What to Do
Intel, AMD, ARM and IBM yesterday (May 21) confirmed that there were indeed additional Spectre-type flaws found in its CPUs, as alleged earlier this month by a German magazine, along with a new Meltdown-type flaw. The vulnerabilities could be leveraged in browser-based attacks on users, but should be patched at the system level in the coming weeks.
The Spectre-like flaws, referred to as Variant 4 in a blog post by Intel's Leslie Culbertson, executive vice president and general manager of Product Assurance and Security at Intel, were first reported in early May by the German computer magazine C'T, which had been told of the flaws by then-unnamed researchers (some of whom worked for Microsoft and Google) and called the flaws Spectre NG, or Next Generation. (, and here's a list of affected Intel processors.)
The Meltdown-like flaw is called Variant 3a and is less serious overall. It will be patched through upcoming CPU firmware updates, not via operating-system patches.
AMD released its own statement that Variant 4 fixes were being rolled out by Microsoft and Linux distributors. ARM said four of its later Cortex A-series processors were affected by Variant 4, and listed technical mitigations. IBM detailed how the Variant 4 flaws affected its POWER chips.
What Can You Do
Culbertson said that "browser-based mitigations [for Variant 4 ... have already been deployed and are available for use today," so keep your browser up to date. Chrome should update automatically, provided you occasionally restart your machine. To check if Chrome has a pending update, navigate to chrome://settings/help, where you'll see its version status.
Firefox should also update itself, but you can confirm its status for yourself. Just click the menu button, click Help and select About Firefox. If updates are available, Firefox will download them automatically.
Microsoft's Edge and Internet Explorer browsers update themselves via Windows Update, which you'll want to check for system-wide updates. Apple's Safari browser also piggybacks on system updates, although there was no word yet from Intel or Apple about whether Macs had been or would be patched against the new Spectre flaws.
Culbertson said Intel had "already delivered the microcode update for Variant 4 in beta form to OEM system manufacturers and system software vendors," and that this patch should be "released into production BIOS and software updates over the coming weeks."
Expect to see system notifications from the proprietary updates software on your system, such as Dell SupportAssist or HP Support Assistant. Those will arrive soon and should be downloaded to protect your PC.
More About Variant 4
Culbertson writes that Intel has "not seen any reports of this method being used in real-world exploits," but that shouldn't sway users from delaying updates.
Like the other Spectre and Meltdown flaws already disclosed, the Variant 4 and Variant 3a vulnerabilities are rooted in speculative execution, a method of speeding up a CPU's processes that has become commonplace in the past two decades.
Fixing or mitigating any Spectre or Meltdown flaws slows down CPU processes, and Culbertson says Intel chips that had implemented the patches for Spectre Variant 4 "observed a performance impact of approximately 2 to 8 percent" based on overall scores for benchmark testing.