Neither AMD nor ARM processors are affected by this big.
This is the third bug due to speculative execution announced this year; on 3 January Intel announced two bugs that came to be known as Meltdown and Spectre in a disclosure process that was rushed due to public reports appearing ahead of a planned announcement date of 9 January.
Once again, it appears that the company had to disclose the vulnerability ahead of a planned date in either July or August. According to computer scientist Colin Percival, a former FreeBSD security officer, "My understanding is that the original disclosure date for this was sometime in late July or early August.
In its advisory, Intel characterised the vulnerability as moderate. In a statement , the company said: “This issue, known as Lazy FP state restore, is similar to Variant 3a (of Spectre). It has already been addressed for many years by operating system and hypervisor software used in many client and data centre products.
"Our industry partners are working on software updates to address this issue for the remaining impacted environments and we expect these updates to be available in the coming weeks."
While I have exploit code and it is being circulated among some of the relevant security teams, I'm not going to publish it yet; the purpose was to convince the relevant people that they couldn't afford to wait, and that purpose has been achieved.— Colin Percival (@cperciva) June 13, 2018
According to Linux expert Russell Coker, speculative execution comes about "when a program branches (eg. an 'if' condition) and the CPU starts executing the code on the most likely branch and then discards it if the other branch is taken".
"The bug might be something like performing speculative execution without adequate access checks such that a hostile application could have an instruction in what the CPU considers the most likely code path after a branch that accesses some memory and then sees what happens when it runs," he said, in an explanation about the two bugs at the time they were disclosed.
I was not part of the coordinated disclosure process for this vulnerability. I became aware of this issue after attending a session organized by Theo de Raadt at @BSDCan. It took me about 5 hours to write a working exploit based on the details he announced.— Colin Percival (@cperciva) June 13, 2018
Percival said: "The impact of this bug is disclosure of the contents of FPU/MMX/SSE/AVX registers. This is very bad because AES encryption keys almost always end up in SSE registers.
"You need to be able to execute code on the same CPU as the target process in order to steal cryptographic keys this way. You also need to perform a specific sequence of operations before the CPU pipeline completes, so there's a narrow window for execution."
Intel credited Julian Stecklina from Amazon Germany, Thomas Prescher from Cyberus Technology Zdenek Sojka from SYSGO AG and Percival for reporting the issue and working with the company on co-ordinated disclosure.
But Percival said he had not been involved in the discovery. "I just reproduced it and wrote exploit code after all the important details leaked," he said, adding that he would release his exploit code after everybody had time to push patches out.