Researchers have found a new flaw related to Spectre and Meltdown

The ghost is still in the machine

Researchers have identified a new variant (CVE-2018-3639) of the Spectre and Meltdown flaws that caused a public outcry in the chip industry last year.

Google and Microsoft say that, like the original flaws, this one stems from speculative execution. This is a technique that modern chips use to optimise their performance by making assumptions about upcoming operations.

If the CPU begins a process that doesn't take place, then it should unwind and delete all of the related data. However, in some circumstances parts of that data remains cached and accessible.

CVE-2018-3639 is the fourth variant of the speculative execution flaw. Spectre covers versions one and two (CVE-2017-5753 and CVE-2017-5715), and variant three is Meltdown (CVE-2017-5754). Like its predecessors, CVE-2018-3639 has been said to affect CPUs from all major manufacturers, including Intel, AMD and ARM, as well as IBM's Power 8, Power 9 and System Z processors.

Malicious actors are able to exploit the vulnerability using script files running in a programme to lift information from other parts of the application. Javascript on a website could be used to copy data that is open in another browser tab, for example.

Intel has said that the fixes it has already deployed for variant one (CVE-2017-5753) should make attacks based on CVE-2018-3639 more difficult. No exploit code targetting the vulnerability has been spotted in the wild yet.

Leslie Culbertson, Intel's EVP of product security, has said that Intel and other manufacturers are working on new fixes to counter malware that could exploit the new variant; they are being tested now.

The code will be off by default, with customers having the choice to enable it or not. This is probably because, a. the risks from variant four are already low, and b. Intel et al have run into problems with their patches in the past. Intel says that the fix affects performance by up to eight per cent.

Joseph Carson, chief security scientist at Thycotic, scathingly said: "Currently there is no permanent solution for these flaws (a nice way to avoid saying major security vulnerability), and everything we have seen so far is turn it off and accept reduced performance.

"It's a bit like a car manufacturer telling you, 'Remember that car we sold you? Well the locks don't really work, so to keep it from being stolen you can no longer drive it at 70mph; now it's limited to 50mph. Sorry, you can't have fast performance and security at the same time so you must choose only one'."