Google Project Zero has spilled the beans. There are two huge security flaws that are dependent on the speculative execution functions found in many modern processors. Basically, attackers can attack it to read the kernel memory, which is extremely bad, as they can then get passwords, encryption keys, everything. And contrary to the early speculation, these flaws are not just Intel-only. ARM and AMD have issues, too.
Okay, going to rewrite this to clear up any initial misunderstanding.
Recently, people have noticed that a pretty major and unannounced change to the way Linux handles virtual memory. Even more puzzling is that there’s been no communication about this whatsoever. This is the kind of massive change that would be announced well in advanced, debated, and then slowly implemented in the past. Instead, it appears to to have been executed in two months, and in secret.
Other people started digging and discovered that Microsoft has also done a sudden and big rewrite of the way Windows handles virtual memory, and MS started rolling out the change to Insiders in November. Two months.
Coupled with even more digging, and it all points to a massive flaw in Intel CPUs that exposes the kernel memory, which is very, very, very bad. This does not appear to be a flaw that can be fixed in microcode/firmware updates, which means it has to be fixed at the OS level, which means that there’s going to be a performance hit. As to how large? It’s unknown until the details and fixes are released.