A total of eight new security flaws in Intel CPUs have already been reported to the manufacturer by several teams of researchers. For now, details on the flaws are being kept secret....So far we only have concrete information on Intel's processors and their plans for patches. However, there is initial evidence that at least some ARM CPUs are also vulnerable....Knowing that Google Project Zero discovered one of the Spectre-NG flaws gives us an idea of when to expect the first patch. Googles elite hackers are scrupulous about observing the 90 day deadline that is meant to give companies time to address flaws after they have been notified – but they have no qualms about going public when the deadline ends, even if a patch has yet to be released. Time will run out on May 7 – the day before the next Windows patch day. Intel itself expects that information about a second flaw could be published any day now. Therefore, we can expect to see patches for these two vulnerabilities sooner rather than later.There are signs that Microsoft is also preparing for CPU patches....Intel itself classifies four of the Spectre-NG vulnerabilities as "high risk"....One of the Spectre-NG flaws simplifies attacks across system boundaries to such an extent that we estimate the threat potential to be significantly higher than with Spectre. Specifically, an attacker could launch exploit code in a virtual machine (VM) and attack the host system from there – the server of a cloud hoster, for example. Alternatively, it could attack the VMs of other customers running on the same server....However, the aforementioned Spectre-NG vulnerability can be exploited quite easily for attacks across system boundaries, elevating the threat potential to a new level. Cloud service providers such as Amazon or Cloudflare and, of course, their customers are particularly affected.
