Microsoft and Google engineers jointly discovered a new vulnerability in Intel, AMD, ARM processors similar to Meltdown and Specter. The threat was called Speculative Store Bypass (v4) (CVE-2018-3639). Similar to Specter, the exploit also uses speculative command execution, which is provided by modern CPUs.
The attack method resembles Specter 1, but is based on recovering data stored in the processor cache after discarding the result of speculative operations when processing alternate write and read operations using indirect addressing. When a read operation follows a write operation (for example, mov [rbx + rcx], 0x0; mov rax, [rdx + rsi]), the read address offset may already be known due to similar operations (read operations are performed much more often and reading can be performed from the cache) and the processor can speculatively perform reading before writing, without waiting for the indirect addressing offset for writing to be calculated. If, after calculating the offset, the intersection of the memory areas for writing and reading is detected, the processor will simply discard the read result obtained speculatively and repeat this operation.
A feature of Speculative Store Bypass is the ability to use it with scripts inside applications. In other words, attackers can leave malicious JavaScript code directly on a web page, and the user will immediately be in danger when she visits. Hackers can access data stored in the browser’s memory. This could be a search history, addresses, bank card details, and more.
However, this vulnerability was found in November 2017, and Intel has already rolled out a beta version of the microcode for OEM manufacturers to update their products. As in the case of Specter and Meltdown, it will result in a performance loss of 2–8%, according to the SYSmark 2014 SE test. Updates to kernel packages are compiled for RHEL and Ubuntu, and are expected for SUSE and Debian.
“We continue to work with affected processor manufacturers and have already taken deeper protection measures to eliminate the vulnerabilities of malicious performance in our products and services. We are not aware of any instance using this exploit that would affect Windows or our cloud services infrastructure. We are committed to further mitigating the consequences for our customers, ”a Microsoft representative said.