Two New Variants of the Spectre Vulnerability were found by Security researchers
On Monday, Google and Microsoft announced a new variant of the Spectre and Meltdown security flaw (Spectre Variant 3a). The chip that has this vulnerability is widely used on computers and mobile devices. Intel claimed that the newly discovered vulnerability was “Spectre Variant 4 “. The company stated that although the latest variant is of the same type as the one discovered in January this year, it uses a different approach to obtaining sensitive information.
“Spectre Variant 3a is a vulnerability that may allow an attacker with local access to speculatively read system parameters via side-channel analysis and obtain sensitive information,” reads the security advisory. “Spectre Variant 4 is a vulnerability that exploits “speculative bypass.” When exploited, Variant 4 could allow an attacker to read older memory values in a CPU’s stack or other memory locations.”
Spectre and Meltdown security flaws continue to affect chip makers such as Intel, ARM, and AMD, which are mostly found in computers and mobile device chips produced by these companies. The flaw allows hackers to read sensitive information on the computer’s CPU and has affected millions of chips in the past two decades. Although vendors such as Apple, Microsoft, and Intel are all distributing patches to fix this vulnerability, some patches are not working and they also cause computers to malfunction.
Hackers often search for various types of vulnerabilities online to attack computers that have this vulnerability. For example, the WannaCry ransomware attack that caused serious damage last year used a vulnerability that Microsoft had already patched. Computers that do not have system security updates installed are more vulnerable.
According to a blog post published by Intel, the company marked this variant of “Variant 4” as a medium-level risk because the multiple bugs in the browser related to the vulnerability have been solved through the first patch. This new variant utilizes the “Speculative Store Bypass”, which can cause processor chips to leak sensitive information to potentially insecure areas.
Intel said that it has not found any hackers using this vulnerability to launch an attack and will release a security patch to fix this vulnerability in the coming weeks. Intel senior vice president in charge of security Leslie Culbertson said in a blog post, will hardware vendors and software developers to provide patch the vulnerability quotient. She said that the patch update will not affect the performance of the computer in the past.
In a security report released by Microsoft, the company said that the discovery of the vulnerability variant may allow hackers to implant attack scripts in the browser’s JavaScript.
Researchers from the Google Project Zero project for the first time discovered the initial version of the vulnerability and reported this vulnerability to Intel, AMD, and ARM in February this year. The team also marked the variant as a moderately serious risk.
Source: Softpedia