Do you think that the “Ghost” and “Meltdown” security vulnerabilities disclosed at the beginning of the year have become a thing of the past? No, because there are too many products that they affect, there are more than one loopholes.
Today, Intel officially published an article explaining in detail the latest research on side-channel analysis (Side-Channel Attace), relevant details and defense information about Vulnerability Variation 4.
Variation 4 of Ghost/Fisher Vulnerability was jointly announced by the Google Project Zero team (GPZ) and the Microsoft Security Response Center (MSRC). Like other variants, it uses prediction execution functions that are common to most modern processor architectures. Exposing specific types of data through side channels.
Researchers have demonstrated variant 4 in a language-based runtime environment (mainly web browsers such as JS), but no examples of successful attacks have been identified.
Since January of this year, most major browser vendors have patched vulnerabilities variant 1 in their management runtimes. These defenses also apply to variants 4.
However, to ensure that defensive measures are more comprehensive and to prevent variant 4 from being exploited in other ways, Intel and partners provide additional defenses, including BIOS microcode and software updates.
Currently, Intel has provided OEMs and systems vendors with a beta code update for variant 4, which is expected to be integrated into various BIOSes and software updates in the coming weeks.
It is worth noting that this defensive measure will be set to Default off , Let the user choose whether to enable. Intel expects that most industry software vendors will use the default shutdown option, which has no effect on performance.
If this patch is enabled, approximately 2-8% performance penalty will occur based on client benchmarks such as SYSmark 2014 SE, server SPEC integer rate, etc.
In addition, The new update also includes microcode for variant 3a (read by malicious system registries) publicly documented by ARM in January, and it has no effect on performance.
