Meltdown and Spectre Revisit Intel, AMD and ARM Processors
Researchers from Google and Microsoft have discovered new flaws in AMD, ARM, and Intel processors.
Microsoft has published a technical analysis of Speculative Store Bypass (SSB) which has been assigned CVE-2018-3639. The vulnerability was discovered by Ken Johnson of the Microsoft Security Response Center (MSRC) and Jann Horn (@tehjh) of Google Project Zero (GPZ).
“SSB arises due to a CPU optimization that can allow a potentially dependent load instruction to be speculatively executed ahead of an older store. Specifically, if a load is predicted as not being dependent on a prior store, then the load can be speculatively executed before the store. If the prediction is incorrect, this can result in the load reading stale data and possibly forwarding that data onto other dependent micro-operations during speculation. This can potentially give rise to a speculative execution side channel and the disclosure of sensitive information,” Microsoft wrote in a blog post.
At the moment, Microsoft is downplaying the impact of the vulnerability and said that the risk posed by it to Microsoft customers is low. “We are not aware of any exploitable instances of this vulnerability class in our software at this time, but we are continuing to investigate and we encourage researchers to find and report any exploitable instances of CVE-2018-3639 as part of our Speculative Execution Side Channel Bounty program. We will adapt our mitigation strategy for CVE-2018-3639 as our understanding of the risk evolves,” said the company in a blog post.
The company has already released some fixes to mitigate Spectre and Meltdown, but as the Meltdown and Spectre stories continue to evolve, these companies will be on their toes to keep up with new discoveries.