A new CPU bug that shares a number of similarities with the Spectre and Meltdown exploits which came to light earlier this year, has been discovered. Termed the Speculative Store Bypass, it already has fixes and firmware updates that have been shipped out to OEMs to distribute, but there is some concern that the patches will impact processor performance when applied.
Speculative Store Bypass is much closer in design to Spectre, in that it exploits the speculative aspect of modern CPUs which helps speed up certain calculations. As Microsoft and Google each discovered in their research though, that speculation is vulnerable to exterior attack and can be exploited to steal data and personal information from a system’s user. With that in mind, new fixes are being developed that will shut down that functionality in affected processors, but as a result, some calculations will take longer to complete — and in some cases, that impact can be significant.
Although the firmware updates are seen as somewhat unnecessary, as earlier improvements to CPU security to prevent against Spectre should provide adequate protection against the new exploit, Intel has provided a full mitigation firmware update as well. The update is currently being distributed by OEM partners, but the patch will not be enabled by default and it will be up to software providers to decide whether they want to use it or not.
“If enabled, we have observed a performance impact of approximately 2-8 percent based on overall scores for benchmarks like SYSmark 2014 SE and SPEC integer rate on client 1 and server 2 test systems,” Intel’s general manager of product assurance and security, Leslie Culberston said.
Considering that this newly announced flaw is harder to exploit than previous variations of the Spectre bug, it may be that most software providers do not choose to leverage the additional protections, as per The Verge. As with Spectre and Meltdown though, permanent fixes for the problem will only be possible through changes to the way the chips are designed and that will involve hardware alterations. Intel has promised that its next-generation CPUs will not be susceptible to these sorts of exploits.
