Bugs emerged earlier this month in Intel and AMD processors that affect both client and server processors over multiple generations. Fortunately, the bugs were found some time ago and researchers kept it quiet while fixes were developed.
Google researchers found the Intel bug known as Downfall (CVE-2022-40982) and reported it to Intel more than a year ago, so both parties had plenty of time to work things out. The Downfall bug exploits a flaw in the "Gather" instruction that affected Intel CPUs use to grab information from multiple places in a system's memory. A Google researcher created a proof-of-concept exploit that could steal encryption keys and other kinds of data from other users on a given server.
According to Intel's support page, Downfall affects all client and server processors starting with the Skylake architecture and extending through Tiger Lake, along with a handful of others. That means most CPUs in Intel's 6th through 11th-generation Core lineups for desktop PCs are impacted, although Intel's newer 12th- and 13th-generation CPU architectures are not affected.
On the server side, the first through third generation Xeon Scalable processors are impacted but not the newest generation, known as Sapphire Rapids. It also affects Xeon D and Xeon E, used in micro-servers and low-end embedded systems, respectively.
AMD’s vulnerability, known as Inception, is much more wide reaching. It affects all four generations of its Zen architecture on both the client and the server.
Both bugs are related to speculative processing, similar to the Meltdown and Spectre bugs from a few years ago. So it's falling to the software guys to clean up a mess made in the chip world.
In posting a patch to the Linux kernel on Git, lead developer Linus Torvalds grumbled "this is yet another issue where userspace poisons a microarchitectural structure which can then be used to leak privileged information through a side channel."
There is apparently a performance hit to be had, at least on the Linux side. The GCC compiler, the standard open-source compiler use by Linux, has been updated to work around any performance hits, according to Phoronix.com.
Both Intel and AMD have issued firmware updates to their hardware to address the problem. Intel’s is here, and AMD’s can be found here. So start by downloading the microcode to update your firmware from the appropriate site.
Intel and AMD have each released microcode updates. They are required to install the Linux security patches, which will be in the upcoming Linux 6.5 kernel as well as versions 6.4.9, 6.1.44, 5.15.125, 5.10.189, 4.19.290, and 4.14.321. This covers the Linux 6.4 stable series and kernels under long-term support.
For its part, Microsoft released a fix for Downfall; details can be found here. The fix is part of the August update, so if you have installed the August fixes, you should be good to go. Intel’s vulnerability did not require a system update to enable protections, and Microsoft recommends referring to documentation guidance available here.