Intel on Monday acknowledged a new variant of the Spectre and Meltdown security flaws found in its processors and those made by other companies.
Similar to the Spectre and Meltdown side-channel exploits that were disclosed by Google Project Zero in January, Variant 4 uses speculative execution to potentially expose sensitive data, in this case through a web browser, wrote Leslie Culbertson, executive vice president and general manager of Intel's product assurance and security group, in a post on Intel's website.The exploit was jointly disclosed by Google Project Zero and Microsoft, she said.
The new vulnerability, however, is addressed by an update that was issued earlier this year for the Meltdown exploit in most leading browsers, including Google Chrome, Culbertson said. The Santa Clara, Calif.-based company is also planning to release a microcode update as an additional mitigation, which has already been received by system manufacturers and system software vendors.
The patch could have a 2-8 percent hit on performance if enabled, according to an Intel analysis of client and server test systems. The company said the update will be turned off by default for customers and that most system software vendors are expected to do the same. The patch will also address the Variant 3a vulnerability, which was previously disclosed by Arm in January.
"Protecting our customers’ data and ensuring the security of our products remain critical priorities for me and everyone at Intel," Culbertson said. "Research into side-channel security methods will continue and likewise, we will continue to collaborate with industry partners to provide customers the protections they need. Indeed, we are confident that we will be able to develop mitigations for Intel products for any future side-channel issues."
Bob Venero, CEO of Holbrook, N.Y.-based solution provider Future Tech, No. 119 on the CRN Solution Provider 500, said the new Spectre Meltdown variant, raises the issue about when exactly the Spectre and Meltdown security holes will be fixed once and for all.
"The big concern is when does this end as researchers continue to pound at Spectre and Meltdown?" asked Venero. "Security researchers in my mind are giving cyber terrorists the time and the information they need to potentially exploit Spectre and Meltdown."
Future Tech is currently doing weekly calls on Spectre and Meltdown mitigation with its top customers. "We are going through this week to week with our customers and Intel regarding what needs to be done with browsers, systems and firmware," said Venero. "This is a very time, labor and resource intensive activity. Where does this end? We need closure on this so we can focus more with our customers on business productivity rather than remediation."
Venero said he is "cautiously optimistic" and "fearful" at the same time that at some point a hacker will exploit the Spectre and Meltdown security holes.
Kent Tibbils, vice president of marketing of Fremont, Calif.-based ASI Corp., said Intel's new disclosure shows that the company is learning to respond faster and coordinate with different parties to stay on top of emerging vulnerabilities.
"It seems like this time they were out in front of it, unlike last time when they were caught behind," he said.
Ric Opal, vice president at Oak Brook, Ill.-based SWC Technology Partners, said the latest vulnerability again showcases the value that partners with well-defined managed services offerings around security can bring to customers.
The best defense is good hygiene — not only patching, but governance, risk evaluation and other practices.
"If you're just constantly doing what you need to do, and you have governance around that and a great security program, then although we cannot predict what's going to happen tomorrow, we can certainly reduce any given customer's exposure to what might be coming," Opal said.
The latest threat illustrates that point — the patch for Variant 1, aka Spectre, mitigates Variant 4.
But IT teams are already doing more with less, and struggle to stay current in an environment where "innovations are coming rapidly, threats are coming even more rapidly."
That creates an opportunity for partners like SWC, which offers a proactive detection service called Managed Threat Defense.
"You need a few more hands to help do that, why not rely on the channel to do that," Opal said.
Additional reporting by Steve Burke and Joseph Tsidulko.