The newly discovered vulnerabilities are reported to the manufacturer, but are currently still kept secret. Hopefully the manufacturer will provide updates to fix the vulnerabilities before they are revealed, but as one of the vulnerabilities was discovered by Googles’ Project Zero team, there is a change that Google will make the details public on 7th of May, when their 90 day notice period expires.
What do we know about the vulnerabilities? And who is affected?
Intel CPUs are confirmed to be affected. Until now it is not confirmed if the ARM CPUs are also vulnerable, but it is highly likely. Research regarding AMD processors is in progress.
Intel classifies four of the vulnerabilities as "high-risk"; the danger of the other four is only rated as medium. One of the vulnerabilities supposedly enable an attacker to start his exploit code in a virtual machine (VM) and attack the host system from there - for example, the server of a cloud hoster. Or he attacks the VMs of other customers running on the same server. Passwords and secret keys for secure data transfer are highly sought-after targets on cloud systems and are acutely endangered by this vulnerability. In general the new vulnerabilities are believed to be easier to exploit, making it easier to perform attacks across system boundaries. As a result, providers of cloud services such as Amazon or Cloudflare and, of course, their customers are particularly affected.
When can we expect a patch for Spectre Next Generation?
Currently there is no patch available. Intel has not made an official statement on when patches will be available, but they are planning two patch waves: a first one should start in May; a second is scheduled for August. Microsoft is already preparing for CPU patches which are expected to appear in the form optional Windows updates.
What should system administrators do now?
When patches are made available, system administrators should prioritize multiuser and virtual environments, e.g. KVM, VMware Workstation, VMware Fusion, Windows Virtual PC, Microsoft Remote Desktop, Xen, Parallels Desktop for Mac, Oracle VM Server, Virtual Box, Parallels Workstation, VMware ESXi etc.
The concrete danger for private individuals and company PCs, however, is rather low, because there are usually other, easier-to-exploit vulnerabilities.
As with the previous Spectre patches, there is reason to believe that the patches may reduce performance and thus all the patches should to be intensively tested before a release.