New Spectre (Variant 4) CPU Flaw Discovered
On May 21, 2018 Google Project Zero (GPZ), Microsoft, and Intel disclosed two new chip vulnerabilities related to the Spectre and Meltdown issues known as Speculative Store Bypass (CVE-2018-3639) and Rogue System Registry Read (CVE-2018-3640), or Variant 4.
As with the initial variants, Variant 4 uses speculative execution, a feature common to most modern processor architectures, to potentially expose certain kinds of data through a side channel. An attacker who has successfully exploited this vulnerability may be able to read privileged data across trust boundaries.
Intel has classified Variant 4 as “medium risk” because “many” of the exploits that Speculative Store Bypass attack would exploit were fixed by browsers like Internet Explorer, Edge, Safari, Firefox, and Chrome during the initial set of patches. However, since there is still a potential for new exploits, Intel and its partners (including PC makers and OEM system manufacturers) will be releasing BIOS and software microcode updates for Variant 4 in the “coming weeks.”
For more information about these vulnerabilities, see resources in either Microsoft’s or Intel’s articles below:
Please refer to article below for a more technical analysis about the vulnerability (geared towards security researchers and engineers):