Google and Microsoft Disclose New CPU Flaw, and the Fix Can Slow Machines Down

An anonymous reader quotes a report from The Verge: Microsoft and Google are jointly disclosing a new CPU security vulnerability that's similar to the Meltdown and Spectre flaws that were revealed earlier this year. Labelled Speculative Store Bypass (variant 4), the latest vulnerability is a similar exploit to Spectre and exploits speculative execution that modern CPUs use. Browsers like Safari, Edge, and Chrome were all patched for Meltdown earlier this year, and Intel says "these mitigations are also applicable to variant 4 and available for consumers to use today." However, unlike Meltdown (and more similar to Spectre) this new vulnerability will also include firmware updates for CPUs that could affect performance. Intel has already delivered microcode updates for Speculative Store Bypass in beta form to OEMs, and the company expects them to be more broadly available in the coming weeks. The firmware updates will set the Speculative Store Bypass protection to off-by-default, ensuring that most people won't see negative performance impacts.

"If enabled, we've observed a performance impact of approximately 2-8 percent based on overall scores for benchmarks like SYSmark 2014 SE and SPEC integer rate on client 1 and server 2 test systems," explains Leslie Culbertson, Intel's security chief. As a result, end users (and particularly system administrators) will have to pick between security or optimal performance. The choice, like previous variants of Spectre, will come down to individual systems and servers, and the fact that this new variant appears to be less of a risk than the CPU flaws that were discovered earlier this year.

Re:Perverse way to drive future CPU upgrades

Or perhaps that's just the skeptic in me talking.

I'm replying AC because this affects my company but Intel basically says in the advisory that the one mitigation that DOES affect CPU performance is not really necessary if you have a modern OS and modern web browser. I'm not certain this is true, I am not affiliated with Microsoft, GPZ, or Intel, but I do know that this issue has been researched by Intel, Microsoft, and GPZ for many months. In fact, the initial indications suggested that it was worse than it actually is after applying January microcode updates and updating OS and browser.

That update is going to be enabled/disabled by the user based on a BIOS or OS toggle and Intel recommends it be disasbled under most circumstances. I don't know when they recommend that you enable it, but I assume it is going to be important for cloud hosting providers.

Re:Perverse way to drive future CPU upgrades

[AmiMoJo]

It's hard to take anything that Intel says seriously. Last time they said the hit would be a few percent, and people were seeing 60%.

Best to avoid them altogether. And sue in small claims court of you are already a victim.

Re: Perverse way to drive future CPU upgrades

That is not simply true. Intel have provided microcode updates only back to haswell

Re:cpuid

[Wolfrider]

> So, in the future CPU makers don't need to invent new names. We'll just identify CPUs with the name of the newest vulnerabilities they have :)

--You joke, but the Linux kernel already does this when you do ' cat /proc/cpuinfo ':

model name : Intel(R) Core(TM) i5-x400 CPU @ 2.70GHz
bugs : cpu_meltdown spectre_v1 spectre_v2