Cybersecurity experts from Google and Microsoft have discovered a flaw in computer chips related to the Meltdown and Spectre hardware vulnerabilities found earlier this year.
The flaw is seen to affect a broad swathe of devices with chips from AMD, ARM, and Intel. It has been dubbed “Speculative Store Bypass” or “Variant 4.” Attackers that successfully exploit this vulnerability may be able to read “privileged data” such as passwords and encryption keys.
“Vulnerable code patterns in the operating system (OS), or in applications, could allow an attacker to exploit this vulnerability,” Microsoft added. At the time the announcement was made on Monday, Microsoft said it was still not aware of exploitable code patterns of this kind in its infrastructure.
Likewise, Microsoft believes the risks of a Variant 4 exploit are low because of patches already issued earlier this year to address Spectre. “Microsoft is working with CPU manufacturers to assess the availability and readiness of new hardware features that can be used to resolve [the flaw].”
Microsoft said its web browsers, and those of other major firms, have already taken steps to increase the difficulty of exploiting Variant 4.
A report by AIG has warned that hackers’ motivations have changed. If before they focused on disclosing and monetizing data, now they seek to disrupt firms’ operations to reduce revenue.
The report cited the use of ransomware, which can make important data files inaccessible to firms until they pay the hackers. The “NotPetya” cyberattack of 2017 was a clear example - the ransomware attached itself to Ukrainian tax-filing software, allowing it to spread to multiple multinationals, including shipping giant Maersk and pharmaceutical manufacturer Merck, both of which operate in the Ukraine.
Maersk projected that the cyberattack would cause losses of up to US$300 million due to “serious business interruption,” as it had to reinstall and replace hardware.