Intel's Spectre Variant 4 Microcode Update Off by Default
In this Ask the Admin, I look at Spectre Variant 4 and whether it will affect performance as its distributed over the coming weeks.
Passwords Haven’t Disappeared Yet
123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?
Unless you’ve been hiding under a rock since January, you probably know about the Spectre and Meltdown vulnerabilities that were made public at the beginning of 2018. Spectre and Meltdown could allow a malicious program to access protected memory using speculative execution and caching, two techniques that improve the performance of modern processors. Spectre and Meltdown are both forms of side-channel attack where a malicious program establishes the location of data in the CPU cache.
Microsoft issued patches for CVE-2017-5753 (Spectre Bounds Check Bypass – Variant 1), CVE-2017-5715 (Spectre Branch Target Injection – Variant 2), and CVE-2017-5754 (Meltdown Rogue Data Cache Load – Variant 3) in January’s round of cumulative updates for Windows. For complete protection against the three vulnerabilities listed above, a microcode update from Intel also needs to be applied.
The January updates protect against three specific ways of exploiting the Spectre and Meltdown vulnerabilities. But last month, Google Project Zero made public a new way to exploit Spectre. Intel has dubbed the new threat as a Speculative Store Bypass (SSB). Or Spectre Variant 4. It has been assigned a Common Vulnerability and Exposures (CVE) number: CVE-2018-3639. Additionally, another vulnerability has been identified. Rogue System Register Read (RSRR), or Spectre Variant 3a (CVE-2018-3640) as it’s also known. Although, this one is thought to be less serious than Spectre Variant 4.
According to Intel, “Most leading browser providers have recently deployed mitigations in their Managed Runtimes — mitigations that substantially increase the difficulty of exploiting side channels in a modern web browser. These techniques would likewise increase the difficulty of exploiting a side channel in a browser based on SSB.”
So, these new vulnerabilities are less likely to be a problem if your operating system and browsers are running the latest versions and patches.
Intel Microcode Updates
Nevertheless, Intel has distributed beta microcode updates to hardware manufacturers to protect against both SSB and RSRR. One side effect of the fixes is that it will impact performance by up to eight percent. According to Intel executive vice president Leslie Culbertson, “If enabled, we’ve observed a performance impact of approximately two to eight percent based on overall scores for benchmarks like SYSmark® 2014 SE and SPEC integer rate on client and server test systems”.
Because existing browser patches for Spectre Variant 1 help protect against Variant 4, Intel plans to ship the fixes for Spectre Variant 3a and 4 ‘turned-off’ by default because the risk is deemed to be low. Intel and AMD are recommending leaving the mitigations for these vulnerabilities disabled. But if an OEM or use chooses to enable them, a performance hit can be expected.
Unless the advice from Intel, or other chip manufacturers changes, I recommend leaving the fixes disabled. But a risk assessment should be performed for each device to establish whether the performance tradeoff might be worth taking to get the extra protection that will come with the updated microcode.
In this Ask the Admin, I looked at the risk associated with the Spectre Variant 3a and 4 exploits and how existing patches already provide some protection.
Follow Russell on Twitter @smithrussell.