A pair of vulnerabilities have been discovered impacting Intel and AMD CPUs, and they both affect generations of processors for those who haven't updated their systems yet.
The new threats are called "Downfall" and "Inception," and both rely on speculative execution in a similar way as the Meltdown and Spectre bugs, respectively. They are both described as being of "medium" severity, with Downfall impacting Intel chips and Inception targeting AMD processors.
Intel and AMD have both issued OS-level microcode software updates as of now, with both companies aiming to address both vulnerabilities. As reported by Ars Technica, the two companies have also confirmed that they have not identified any exploits that exist for either vulnerability.
However, it's important that manufacturers issue their own updates to address the issues once Intel and AMD make them available. Both Downfall and Inception are risks to consumer products, server CPUs, and workstations, any of which are equipped with years-old Intel or AMD processors.
"The vulnerability is caused by memory optimization features in Intel processors that unintentionally reveal internal hardware registers to software. This allows untrusted software to access data stored by other programs, which should not normally be accessible. I discovered that the Gather instruction, meant to speed up accessing scattered data in memory, leaks the content of the internal vector register file during speculative execution. To exploit this vulnerability, I introduced Gather Data Sampling (GDS) and Gather Value Injection (GVI) techniques. You can read the paper I wrote about this for more detail."
Moghimi says Downfall is a "successor" to the Meltdown vulnerability, as they both rely on speculative execution to harm affected systems.
Intel says all processors based on Skylake, Kaby Lake, Whiskey Lake, Ice Lake, Comet Lake, Coffee Lake, Rocket Lake, and Tiger Lake are all impacted by Downfall, along with other processor generations as well. That means most chips produced from 2015 and newer are affected.
However, Intel's newest 12th- and 13th-generation chips based on Alder Lake and Raptor Lake are not affected. Meanwhile, Celeron, Pentium, and Apollo low-end CPUs are not affected, either.
Inception is also known as "CVE-2023-20569," and it's a descendent of the Spectre bug, and it's described as "Information exposure through microarchitectural state after transient execution in certain vector execution units for some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local access."
Security researchers at ETH Zrich's COSMEC group point out that this vulnerability can leak arbitrary data on a range of AMD processors, including Ryzen, EPYC, and Threadripper. The group has also published a proof-of-concept video showing off the vulnerability.
The good news is these vulnerabilities have been addressed by Intel and AMD, and neither appears to be as dangerous as the vulnerabilities they are descended from, Meltdown and Specter.
Might be a good time to upgrade to Apple silicon
Still, if nothing else, these widespread vulnerabilities are a gentle reminder that Apple has moved away from Intel in its choice of processors. The company is now all-in with Apple Silicon, meaning it doesn't need to worry about Intel or AMD vulnerabilities like these.
It's worth noting that there are still some vulnerabilities that can pop up, even for Apple silicon. The "PacMan" flaw was an echo of Spectre and Meltdown in 2022, for instance, albeit one that did not seriously harm any computers out in the real world.