Dubbed the Speculative Store Bypass (variant 4), the latest vulnerability is similar to Spectre and exploits the speculative execution that modern CPUs use. Browsers like Safari, Edge, and Chrome were all patched for Meltdown earlier this year. Unlike Meltdown - and more like Spectre - this new vulnerability harms firmware updates for CPUs and could affect performance. Intel has already delivered microcode updates for Speculative Store Bypass in beta form to OEMs, and the company expects them to be more broadly available in the coming weeks.
The firmware updates will set the Speculative Store Bypass protection to off-by-default, ensuring that most people won't see negative performance impacts.
Intel's security chief Leslie Culbertson warns that the patches will result in a performance impact of approximately two to eight percent based on overall scores for benchmarks like SYSmark 2014 SE and SPEC integer rate on client 1 and server 2 test systems.
Users, and particularly system administrators, will have to pick between security or optimal performance. The choice, like previous variants of Spectre, will come down to individual systems and servers, and this new variant appears to be less of a risk than the CPU flaws that were discovered earlier this year.