One of the scarier things about the disclosure of the Meltdown and Spectre chip design flaws earlier this year was that the discovery of this technique opened an entire new attack vector. Intel, Google, and Microsoft revealed a new exploit method Monday that, fortunately for PC users and cloud vendors, doesn’t appear to be nearly as severe as the problems patched earlier this year.
Variant 4 is another side-channel exploit that takes advantage of a design flaw in modern chips that use speculative execution to increase the speed at which they can process instructions. Last year researchers from Google figured out how to time an attack to exploit gaps in that decades-old execution technique, kicking off a frantic six-month process to patch operating system and cloud vendor systems ahead of the January disclosure of Meltdown and Spectre.
In a blog post Monday, Intel’s Leslie Culbertson said while that Variant 4 falls into the same basic category as Meltdown and Spectre, patches rolled out earlier this year by browser makers for the earlier flaws should address this one. Intel is going to make a patch available in part because this technique can be used if an attacker has local control of your machine, but if that happens Variant 4 is the least of your worries, and Intel believes the risk of such an exploit is low enough to ship the patch turned off by default to avoid a slight performance hit.