Microsoft: New Processor Bug Could Leak Data

John Lister's picture

Both Microsoft and Google are warning of another bug in computer processors. It's similar to previous bugs known as 'Spectre' and 'Meltdown'.

For now the new issue has the less dramatic codenames 'Speculative Store Bypass Variant 4' and 'CVE-2018-3639'. As with Spectre and Meltdown, it involves a processor function known as speculative execution that's meant to improve computation processes. Unlike some bugs, it's classed as a low risk to users but is significant because of the sheer number of computers that could be affected.

The processor is the part of the computer that physically carries out tasks as a series of calculations. Speculative execution is a technique that involves the processor not simply waiting until being given specific instructions, which could increase the time it remains idle and thus slowing overall performance. (Source: alphr.com)

Educated Guess Could Speed Performance

Instead, computers make an educated guess about tasks they might be asked to carry out and then prepare some information in advance. As a rough analogy, imagine somebody working at the front desk of a police precinct who, in a quiet period on a Saturday afternoon, partially fills out several charge sheets with today's date and a charge of public intoxication. The chances are such incidents will indeed take place and this will save time when police come to log specific incidents.

The problem is when the prediction works out differently than expected. With the police desk, that's no problem: if it's a quiet night and no charges have been laid, the template sheets can be tossed into the garbage as the dates would therefore be invalid the next day. Similarly with the processors, the pre-gathered data should be deleted.

Bug Fix Could Slow Down PCs

However, the processor bugs mean that some of the data that's gathered is not only potentially sensitive, but could be intercepted by rogue software. One possible scenario would be code in one (rogue) webpage accessing data the speculative execution function has gathered from another tab open in the same browser.

The bug affects many processors from major chipmakers including AMD, ARM, IBM and Intel. They are currently assessing the severity of this latest variant and the risks of it being exploited before weighing it up against the drawbacks of issuing a fix. One possibility is making the fix optional to install as it could mean a small but noticeable decline in performance. (Source: computing.co.uk)

What's Your Opinion?

Should manufacturers continue to include the speculative execution function? Is a small risk of data interception acceptable if the performance boost is significant? Should the manufacturers make the bug fix automatic or let users decide whether to run it?

Rate this article: 
Average: 5 (8 votes)

Comments

Dennis Faas's picture

If it's a security risk then I would expect the operating system to be patched immediately, with no choice given to the user. A security risk that can allow rogue software to steal data is not something that should be taken lightly, especially if the majority of users aren't aware of the potential attack vector. In the days of ransomware and spying, this is not something you want running freely on a corporate network with poorly designed infrastructure. Surely over time they can refine the patch so that it does not impact as much performance.

Doccus's picture

Since so many OSs are blocked against receiving updates (I have snow leopard whixh has been blocked by Apple against aquiring security updates for a few years now, as it is about 6 years old).. OK maybe they have a very callous disregard for their users these days, or not.. but is it possible these chip makers would follow the same tack? I have no idea how a compatible fix could be issued for so many different-processors, but it probably would need to be implemented like a firmware update, which , if I recall, usually requires starting out in the OS before rebooting.
Any ideas on this?

Dennis Faas's picture

As with the Spectre and Meltdown, this exploit can only be patched one of two ways: by a BIOS (firmware) update for the motherboard - and only if one becomes available; or, by an operating system patch - and only if your operating system is supported and can receive security updates.

There is no firmware on a CPU. To permanently correct this problem the CPU would have to be redesigned by the manufacturer, but this will only affect new models going forward because the manufacturer isn't going to take your old CPU and fix it and then send it back to you. Since that is not going to help, the BIOS / system patch is the only workaround.

If you use an outdated / unsupported / unpatched operating system, you are asking for trouble. You should look at upgrading the MacOS, or put Linux on the system, as it is similar to MacOS and it's free.

Doccus's picture

Unfortunately, I have no option but to use the OS I have, Apple discontinued support for almost half of the applications I own 3 years after the OS came out, many were never updated for the new OS that came out only 6 months after Snow Leopard, because the developers, frankly, got sick of having to rewrite their applications every year due to significant OS incompatibilites.
Normally that wouldn't be an issue as I can just multiboot, but other drive cant take the latest OS either, as my mac is over 6 years old, and I just don't have 2 grand sitting around for a new one, which would be pointless anyways for something just to go online with. Time for a chromebook?