A few months ago Intel promised that it would start shipping processors with hardware-based protections against the Meltdown and Spectre vulnerabilities in the second half of 2018. That will include upcoming 8th-gen Intel Core processors and Intel Xeon chips based on the new “Cascade Lake” architecture.
But while those chips will offer hardware-based protections against Spectre Variants 2 and 3, Threatpost reports that Intel’s upcoming chips will not include hardware to protect users from Spectre Variant 4-based attacks.
In other words, even if you buy a computer with a state-of-the-art processors this year, you’ll still need a software or microcode update to protect yourself from the latest vulnerabilities.
Spectre Variant 4 is a speculative execution side channel vulnerability similar to other Spectre variants. It was disclosed this week by Google’s Project Zero and Microsoft’s Security Response Center, and Intel notes that there are already web browser updates designed to help protect users against attacks based on the Variant 4 vulnerability.
In fact, while Intel says it’s already started making microcode updates available to partners to help mitigate the risk of Spectre Variant 4, the company says it’s set to off by default, since this vulnerability isn’t considered quite as critical as some of the others.
Computer makers and software vendors will be able to turn on the microcode if they want extra protection, but Intel says that with the feature enabled, computer users may see a 2 to 8 percent drop in performance in benchmarks (and maybe in real-world performance).
Update: Intel says it’s added functionality to its microcode called a Speculative Store Bypass Disable (SSBD) bid that can be used to help offer protection against this and future vulnerabilities.
So what’s next?
I wouldn’t be surprised to see Intel incorporate hardware fixes for Spectre Variant 4 in the next chips it develops, likely to be released in late 2018 or early 2019. That would offer more protection without taking the same toll on performance.
But any new vulnerabilities discovered after those chip designs are finalized will likely have to be addressed by microcode and software updates.
And the same cycle will probably continue for a while. The Spectre and Meltdown vulnerabilities disclosed this year represent an entirely new type of flaw in modern processor architecture, and it’s likely that security researchers will continue to discover and disclose new variants in the months and years to come. Chip makers like Intel will most likely have to continue playing catch up with each new processor generation unless they disable speculative execution altogether. But that would probably result in an even bigger drop in performance than the microcode updates.
Intel isn’t the only company affected by Spectre Variant 4: Microsoft notes that some AMD and ARM chips are also affected “to varying degrees.”