Since the beginning of the year, Intel along with it its partners and competitors have been working on fixes and updates to address flaws revealed by Google’s Project Zero. Intel has now finally developed a hardware level fix for both Meltdown and Spectre’s Version 2 vulnerabilities. Intel says that both the next version of Intel’s 8th Gen Core processors and Intel’s Xeon Scalable processors (cascade lake), which will be shipping in the second half of the year, will get the hardware fix. Moreover, as of last week, Intel has released microcode updates for its processors from 2nd gen (Sandy Bridge) processors all the way to the latest generation.
Intel’s CEO Brian Krzanich says, “We have redesigned parts of the processor to introduce new levels of protection through partitioning that will protect against both variants 2 and 3. Think of this partitioning as additional “protective walls” between applications and user privilege levels to create an obstacle for bad actors”. It should be noted that Intel calls the Meltdown flaw as variant 3. However, there is no hardware level fix for the variant 1 of the Spectre bug and Intel will continue to address it via software mitigations. That said, the variant 1 of the Spectre flaw is the most worrisome bug of them all. This is because the attacks targeted to exploit this bug work against the basic principles of speculative out-of-order execution.
AMD, which is also affected the by the Spectre variant 1 flaw, got a big blow a day before when Israeli security agency CTS Labs published a white paper detailing four new classes of flaws in AMD’s Ryzen and EPYC processors. The white paper discloses 4 new flaws in AMD processors, all of which require physical access or elevated administrator privileges. While the findings by the new security agency, which was founded less than a year ago, can’t be taken lightly, its conduct in the situation doesn't seem ethical. Under normal circumstances, when a security vulnerability is found, companies are given a 90-day heads up, but here AMD was given just a 24-hour notice. CTS Labs did not provide any explanation on why they did so. Moreover, the language in the white paper seems severely hyped including the names of the vulnerabilities mentioned.