New Spectre 4 CPU Vulnerability Penetrates Intel's Virtual Fences

Technology > IT

cpu chip/ Photo By Anake Seenadee via 123RF


CPU chipmakers Intel and AMD confirmed that a new vulnerability Variant 4 has been observed in processors. The chipmakers also confirmed that the vulnerability is a serious security bug that can easily be accessed through a web browser. As of now, hardware-based safeguards available in the market cannot protect CPUs from Variant 4.

Defenses Down

The Spectre group of vulnerabilities affect modern microprocessors that power various electronic devices such as desktops, laptops, and mobile devices. The vulnerabilities have been spotted in devices with Intel, AMD, ARM-based, and IBM CPUs. 

Recently, the Google Project Zero detected the presence of Spectre Variant 4 that enables hackers to bypass the memory access safety to read privileged data and run previously executed commands in devices. It has been considered as a serious flaw because attackers can perform related actions by simply using a web browser like Microsoft Edge or Google Chrome.

Earlier this year, Intel announced that they have redesigned certain parts of new processors to provide a protection against Variants 2 and 3 vulnerabilities. The redesign included the use of virtual fences or the installation of a microcode enacted by the operating system to block the two vulnerabilities. However, the virtual fences do not work against the new Variant 4.

While the new vulnerability poses a grave security threat, Intel said that there is a way to resolve the glitch. It requires the installation of an updated microcode to disable the speculative execution system associated with Spectre 4 in processors.

'We’ve already delivered the microcode update for Variant 4 in beta form to OEM system manufacturers and system software vendors, and we expect it will be released into production BIOS and software updates over the coming weeks,” stated Leslie S. Culbertson, executive vice president at Intel.

The mitigation given by the new microcode is turned off by default so that customers can choose whether or not to activate it.