Second wave of Spectre-like CPU security flaws won’t be fixed for a while
The new bunch of Spectre-like flaws revealed last week won’t be patched for at least 12 days. German outlet Heise, which broke news of the eight Spectre-like vulnerabilities last week has now reported that Intel wants disclosure of the flaws delayed until at least May 21. Last week, Heise noted that one participant in the planned coordinated release would include a Google Project Zero disclosure, which as far as The Register can discern has not yet happened.
Heise added that the bug affects any Core-i (and their Xeon derivatives) processors using microcode written since 2010; and Atom-based processors (including Pentium and Celeron) since 2013. If disclosure and patches arrive in May, they won’t complete Intel’s response to the bugs, Schmidt reported. Further patches, tentatively scheduled for the third quarter, will be needed to protect VM hosts from attacks launched from guests.
In addition to microcode fixes from Intel, operating system-level patches will also be necessary.