Identifying a flaw with your system is just half the battle, right? The other half is trying to figure out how to fix it. But if the fix only slows your machine down, it seems like it just sends you back to square one. While Google and Microsoft have identified a CPU flaw, but the fix can slow machines down.
The CPU Flaw
Microsoft and Google joined together to announce a new CPU security vulnerability that is similar to the flaws that were identified earlier this year: Meltdown and Spectre. They could allow hackers access to extremely sensitive data such as passwords and encryption keys.
This new CPU flaw, called Speculative Store Bypass (or variant 4), is similar to Spectre in that it “exploits speculative execution that modern CPUs use,” according to The Verge.
Microsoft put a high price tag of $250,000 on bugs that were discovered that were similar to Meltdown and Spectre back in March, but Speculative Store Bypass was actually discovered last November.
While all the major browsers were patched for Meltdown, Intel notes that “these mitigations are also applicable to variant 4 and available for consumers to use today.”
That’s great! Problem solved, right? Apparently it’s not, as unlike Meltdown, this new flaw also has firmware updates for CPUs that could affect the performance of your machine.
The Bad Choice
What a choice that is! You can either deal with the CPU flaw and worry that hackers will be stealing your sensitive data, or you can take the fix and slow your system down. That’s not so much of a choice, is it?
Intel has created beta versions of microcode updates for Speculative Store Bypass. They expect them to be ready for the public in the near future. The firmware updates will set Speculative Store Bypass to being off by default, which should ensure that most users’ systems won’t be slowed down.
“If enabled, we’ve observed a performance impact of approximately two to eight percent based on overall scores for benchmarks like SYSmark 2014 SE and SPEC integer rate on client 1 and server 2 test systems,” explained Intel’s security chief, Leslie Culbertson.
So you may still have to choose between security or performance, but the hope is that your system will be like most others, and you won’t have to make that choice. Microsoft is working with Intel and AMD to find out what the performance impacts are on systems.
“We are continuing to work with affected chip manufacturers and have already released defense-in-depth mitigations to address speculative execution vulnerabilities across our products and services,” said a spokesperson for Microsoft.
“We’re not aware of any instance of this vulnerability class affecting Windows or our cloud service infrastructure. We are committed to providing further mitigations to our customers as soon as they are available, and our standard policy for issues of low risk is to provide remediation via our Update Tuesday schedule.”
Intel is hard at work as well, working on CPU changes. They’re redesigning processors to better protect against vulnerabilities. Their next-gen Xeon processors will have built-in hardware protections, and 8th gen Intel Core processors will be shipping in the last half of 2018.
Moving Forward
Moving forward, how do you, the consumer, feel about this new CPU flaw? Will it affect you? How would you choose if forced to choose between security and a slower machine? Sound off in our comments section below and let us know.
