Earlier this year, Intel decided to expand its bug bounty program to help find more Spectre-like processor vulnerability variants. As part of this ongoing work, the chipmaker (along with Google and Microsoft) has disclosed a fourth exploit – Variant 4 – that uses speculative execution like the other GPZ variants.
Though details are not currently publicly available, the Intel bug bounty page mentions that the chipmaker paid out $100,000 to Kiriansky (vik) for a bug report.
Variant 4 uses speculative execution, a feature common to most modern processor architectures, to potentially expose certain kinds of data through a side channel. In this case, the researchers demonstrated Variant 4 in a language-based runtime environment.
Starting in January, most leading browser providers deployed mitigations for Variant 1 in their managed runtimes – mitigations that substantially increase the difficulty of exploiting side channels in a web browser. These mitigations are also applicable to Variant 4 and available for consumers to use today.
“However, to ensure we offer the option for full mitigation and to prevent this method from being used in other ways, we and our industry partners are offering an additional mitigation for Variant 4, which is a combination of microcode and software updates,” Culbertson added.
Intel said it has already delivered the microcode update for Variant 4 in beta form to OEM system manufacturers and system software vendors, and the company expects it to be released into production BIOS and software updates over the coming weeks. This mitigation will be set to off-by-default, providing customers the choice of whether to enable it.
“We expect most industry software partners will likewise use the default-off option. In this configuration, we have observed no performance impact. If enabled, we’ve observed a performance impact of approximately 2 to 8 percent based on overall scores for benchmarks like SYSmark 2014 SE and SPEC integer rate on client and server test systems,” she said.
Meanwhile, Intel has updated its security first website with a list of new FAQs to help anyone who needs more information.