Researchers disclose new Spectre exploit variant, but Intel and AMD leave mitigation off by default

The specter of Spectre still looms above chipmakers; a new variant of that most dire of chip flaws was disclosed today, and Intel has a patch ready to go. It’s issuing the mitigation in tandem with the announcement that may come with a serious performance hit — which is why it will be off by default.

Like the other Spectre variants, this one has to do with “speculative execution,” a core component of modern computing architecture that predicts what might be required of it in the immediate future and executes on it, either keeping the results if the prediction is right or discarding them if not. Spectre variants basically trick the processor into revealing the data it uses for speculative execution, potentially allowing an attacker to get at even highly protected bits. Unlike Meltdown, which affected Intel primarily, Spectre affects other chip manufacturers as well.

Variant 4 is similar to but distinct from variants 1 through 3, and in this case takes place “in a language-based runtime environment.” JavaScript is such an environment and would be the most obvious place to attempt the exploit. It was discovered by Microsoft and Google researchers, who worked with the chipmakers to develop mitigations.

Variant 1 is the most similar and there are already mitigations in place for it both in browsers and in microcode, which is executed at a much lower level of a computer. But, as Intel puts it, “to ensure we offer the option for full mitigation and to prevent this method from being used in other ways, we and our industry partners are offering an additional mitigation for Variant 4, which is a combination of microcode and software updates.”

OEMs, which make components like motherboards, already have the fix. But like some other patches, this one will be left off by default. Why?

Probably because Intel observed a performance hit of “2 to 8 percent” when the fix was enabled. Accordingly, it has chosen in this case to let OEMs and consumers opt into having a slower, safer processor than opt out of it. Since many manufacturers live and die by the performance of their hardware, it seems unlikely they’ll choose the slow option, and few consumers are tech-savvy enough to enable it themselves.

Critics of this choice aren’t hard to find; it’s arguable that Intel is simply putting performance over safety. But it’s also arguable that an 8 percent drop in speed just isn’t worth the tradeoff when the problem is already partially mitigated.

“I continue to encourage everyone to keep their systems up-to-date, as it’s one of the easiest ways to ensure you always have the latest protections,” writes Intel’s Leslie Culbertson. The easiest way, presumably, is for it to be enabled by default, but her heart is clearly in the right place.

(Update: AMD has a less substantial post describing its own mitigation efforts, which it will also be leaving off by default. No word on what the performance hit will be for AMD processors.)

Whatever your opinion of these decisions, the flaw and the mitigation are now out there, so theoretically the computing world is just a little bit safer. But let’s not fool ourselves: Variants 5 through 10 are probably out there too.