At the beginning of the year, everyone was talking about processor vulnerabilities called "Meltdown" and "Spectre" that potentially exposed data in everything[1] from servers and desktops to tablets and smartphones. The flaws, which impacted the chips in many popular devices, allowed hackers to inconspicuously manipulate a common efficiency technique used to speed data processing. As a result, chip manufacturers and software makers scrambled to issue patches and work out the performance sluggishness[2] that came along with blocking the risky optimizations.
At the same time, though, a larger concern was also looming: Spectre and Meltdown represented a whole new class of attack, and researchers anticipated they would eventually discover other, similar flaws. Now, one has arrived.
On Monday, researchers from Microsoft[3] and Google's Project Zero[4] disclosed a new, related vulnerability known as Speculative Store Bypass Variant 4[5] (Meltdown and Spectre collectively make up variants 1-3) that impacts Intel, AMD, and ARM processors. If exploited, an attacker could abuse the bug to access data that is meant to be stored out of reach. It particularly could expose certain components often used in web browsing that are meant to be isolated, for example, a JavaScript module that shows ads.
Microsoft says that the risk to users from this bug is "low," and Intel notes that there is no evidence that the flaw is already being used by hackers. Some systems, particularly browsers, already have some protection against Speculative Store Bypass attacks just from the initial Meltdown and Spectre patches. But as was the case before, chip manufacturers and software developers are now working to release tailored fixes—and SSB raises the same types of performance problems that emerged before.
"We know that new categories of security exploits often