Google and Microsoft have discovered new Meltdown and Spectre microprocessor vulnerability variants—known as 3A and 4. While MSSPs and security pros should study the advisories and implement potential corrective measures, researchers generally aren't pressing the panic button over these latest chip vulnerabilities.
According to a US Computer Emergency Readiness Team:
CPU hardware implementations—known as Spectre and Meltdown—are vulnerable to side-channel attacks. Meltdown is a bug that "melts" the security boundaries normally enforced by the hardware, affecting desktops, laptops, and cloud computers. Spectre is a flaw that an attacker can exploit to force a CPU to reveal its data.
Variant 3a is a vulnerability that may allow an attacker with local access to speculatively read system parameters via side-channel analysis and obtain sensitive information.
Variant 4 is a vulnerability that exploits “speculative bypass.”
Overall the "Variants 3a and 4 may allow an attacker to obtain access to sensitive information on affected systems," according to the US CERT memo.
In Microsoft's related alert, the company warned that attacks could leverage JavaScript JIT in combination with modern web browsers to potentially launch an attack. But here again, Microsoft said it has "taken steps to increase the difficulty of successfully creating" such an attack. For its part, Google issued an advisory here.
Meltdown & Spectre Vulnerability Variants 3A and 4: What MSSPs Should Do
MSSPs and security professionals should certainly read the various advisories. However, there's a good chance that many patches that address the issues are already in place -- thanks to earlier Spectre and Meltdown fixes, according to Reuters.
The Spectre and Meltdown family of vulnerabilities triggered widespread concerns earlier this year. At the time, technology managers and investors wondered if the issues would harm IT sales and investor confidence in multiple chip companies. Critics also wondered if associated software patches would degrade processor, operating system, database, and/or application performance.
Many organizations struggled to find and apply the correct patches. But overall, concern about the vulnerabilities has calmed down dramatically in recent months.