Researchers disclose new Spectre exploit variant, but Intel and AMD leave mitigation off by default

INSUBCONTINENT EXCLUSIVE:
The specter of Spectre still looms above chipmakers; a new variant of that most dire of chip flaws was disclosed today, and Intel has a
patch ready to go
It issuing the mitigation in tandem with the announcement that may come with a serious performance hit — which is why it will be off by
default. Like the other Spectre variants, this one has to do with &speculative execution,& a core component of modern computing architecture
that predicts what might be required of it in the immediate future and executes on it, either keeping the results if the prediction is right
or discarding them if not
Spectre variants basically trick the processor into revealing the data it uses for speculative execution, potentially allowing an attacker
to get at even highly protected bits
Unlike Meltdown, which affected Intel primarily, Spectre affects other chip manufacturers as well. Variant 4 is similar to but distinct from
variants 1 through 3, and in this case takes place &in a language-based runtime environment.& JavaScript is such an environment and would be
the most obvious place to attempt the exploit
It was discovered by Microsoft and Google researchers, who worked with the chipmakers to develop mitigations. Kernel panic! What are
Meltdown and Spectre, the bugs affecting nearly every computer and device Variant 1 is the most similar and there are already mitigations
in place for it both in browsers and in microcode, which is executed at a much lower level of a computer
But, as Intel puts it, &to ensure we offer the option for full mitigation and to prevent this method from being used in other ways, we and
our industry partners are offering an additional mitigation for Variant 4, which is a combination of microcode and software updates.& OEMs,
which make components like motherboards, already have the fix
But like some other patches, this one will be left off by default
Why Probably because Intel observed a performance hit of &2 to 8 percent& when the fix was enabled
Accordingly, it has chosen in this case to let OEMs and consumers opt into having a slower, safer processor than opt out of it
Since many manufacturers live and die by the performance of their hardware, it seems unlikely they&ll choose the slow option, and few
consumers are tech-savvy enough to enable it themselves. Critics of this choice aren&t hard to find; it arguable that Intel is simply
putting performance over safety
But it also arguable that an 8 percent drop in speed just isn&t worth the tradeoff when the problem is already partially mitigated. &I
continue to encourage everyone to keep their systems up-to-date, as it one of the easiest ways to ensure you always have the latest
protections,& writes Intel Leslie Culbertson
The easiest way, presumably, is for it to be enabled by default, but her heart is clearly in the right place. (Update: AMD has a less
substantial post describing its own mitigation efforts, which it will also be leaving off by default
No word on what the performance hit will be for AMD processors.) Whatever your opinion of these decisions, the flaw and the mitigation are
now out there, so theoretically the computing world is just a little bit safer
But let not fool ourselves: Variants 5 through 10 are probably out there too.