Intel trials microcode for browser-exploitable Spectre bug

Intel has issued microcode for its processors affected by a newly discovered information leak flaw that can be triggered via runtime environments such as Javascript in web browsers.

The new Spectre-like bug, Variant 4, or Speculative Store Buffer Bypass, was disclosed jointly by Google's Project Zero and Microsoft's Security Response Centre earlier this year and reported to Intel.

Variant 4 is triggered through a processor performance optimisation feature known as speculative execution.

This speeds up code execution by taking an educated guess at which branch will be taken next in the processor.

But researchers have show the feature can be abused to leak information via side channels.

The new flaw can be triggered through Javascript runtimes in web browsers.

Intel said most leading browser vendors have deployed mitigations in their software against Variant 4 since January this year.

The chipmaker said it is not aware of any real-world exploits taking advantage of Variant 4.

Intel said it is trialling beta microcode, or firmware that corrects processor errata, with its original equipment manufacturing partners.

The update will have the Variant 4 mitigation set to off by default, giving customers a choice of whether or not to enable it.

Should customers enable it, they are likely to experience an overall system performance slowdown of between two to eight percent, as measured by recognised benchmark software, Intel said.

The Rogue System Register Read or Spectre Variant 3 flaw that was disclosed in January this year is also patched with Intel's beta update. 

Intel said the Variant 3a mitigation does not lead to "any meaningful performance impact on client or server benchmarks."