There are two distinct, albeit related, CPU vulnerabilities making recent
news. One of them, "Meltdown," is Intel-specific. The other, "Spectre," is
present in all recent Intel, AMD, and ARM CPUs (and potentially, any CPU that
uses branch prediction and speculative execution). Meltdown can be repaired
with kernel updates (there's already a patch for it in the Linux source
repository), but the fix can slow performance by as much as 30%. Spectre is
a more difficult vulnerability to exploit, but it has no fix short of
replacing the CPU outright. Apparently not even a microcode update will
suffice--Spectre is a flaw in the fundamental hardware design.
I think Spectre may be the greater cause for concern in the libre-software
community. A lot of us are using relatively old Intel CPUs that predate the
Intel Management Engine, but Spectre is thought to be present in ALL modern
CPUs designed by Intel, AMD, and ARM, and the only fix for it is to replace
the processor. And of course, replacing your CPU with a new one from Intel
or AMD is going to get you the Intel ME or the AMD PSP.
NYT article: https://www.nytimes.com/2018/01/03/business/computer-flaws.html
The Guardian article:
https://www.theguardian.com/technology/2018/jan/04/meltdown-spectre-computer-processor-intel-security-flaws-explainer
Google Project Zero blog post, with links to the Meltdown and Spectre papers:
https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html
