Chipmakers Intel and AMD have confirmed the existence of a new category of the Spectre vulnerability, which exploits the speculative execution features of modern CPUs.
CPUs from AMD, ARM and Intel are potentially affected.
“However, Microsoft Edge, Internet Explorer, and other major browsers have taken steps to increase the difficulty of successfully creating a side channel,” the software vendor said.
The vendor said the risk posed by the vulnerability is low.
Microsoft’s Ken Johnson and Google’s Jann Horn independently discovered SSB, Microsoft said in its analysis of the vulnerability.
“Starting in January, most leading browser providers deployed mitigations for Variant 1 [of Spectre] in their managed runtimes – mitigations that substantially increase the difficulty of exploiting side channels in a web browser,” Intel’s Leslie Culbertson wrote in a blog entry.
“These mitigations are also applicable to Variant 4 and available for consumers to use today. However, to ensure we offer the option for full mitigation and to prevent this method from being used in other ways, we and our industry partners are offering an additional mitigation for Variant 4, which is a combination of microcode and software updates.”
Microsoft and Intel said they had not seen any evidence of the newly disclosed vulnerability being exploited.
Intel said that its microcode updates to address Version 4 would also address an additional Spectre variant dubbed Variant 3a (CVE-2018-3640) or ‘Rogue System Register Read’ (RSRE).
“Systems with microprocessors utilizing speculative execution and that perform speculative reads of system registers may allow unauthorized disclosure of system parameters to an attacker with local user access via a side-channel analysis,” Intel said its security notice.
German publication c’t was the first to report the existence of the new vulnerabilities. c’t reported that a total eight new Spectre-related vulnerabilities had been discovered.