Fourth variant of Spectre and Meltdown identified by Microsoft and Google

Attackers could steal information from open browser tabs by using CVE-2018-3639

The long tail of Spectre and Meltdown continue to plague the chip industry, with a new vulnerability just found by researchers at Google and Microsoft. It has been assigned the code CVE-2018-3639.

Like the original flaws, this one stems from speculative execution, which is a technique that modern chips use to optimise their performance by making assumptions about upcoming operations.

If the CPU begins a process that doesn't take place, then it should unwind and delete all of the related data. However, in some circumstances parts of that data remains cached and accessible.

CVE-2018-3639 is the fourth variant of the speculative execution flaw. Spectre covers versions one and two (CVE-2017-5753 and CVE-2017-5715), and variant three is Meltdown (CVE-2017-5754). Like its predecessors, CVE-2018-3639 has been said to affect CPUs from all major manufacturers, including Intel, AMD and ARM, as well as IBM's Power 8, Power 9 and System Z processors.

Malicious actors are able to exploit the vulnerability using script files running in a programme to lift information from other parts of the application. Javascript on a website could be used to copy data that is open in another browser tab, for example.

Intel has said that the fixes it has already deployed for variant one (CVE-2017-5753) should make attacks based on CVE-2018-3639 more difficult. No exploit code targetting the vulnerability has been spotted in the wild yet.

Leslie Culbertson, Intel's EVP of product security, has said that Intel and other manufacturers are working on new fixes to counter malware that could exploit the new variant; they are being tested now.

The code will be off by default, with customers having the choice to enable it or not. This is probably because, a. the risks from variant four are already low, and b. Intel et al have run into problems with their patches in the past. Intel says that the fix affects performance by up to eight per cent.