Bad news everyone: The majority of desktop, laptop, and server processors are vulnerable to a new type of attack called Hertzbleed that's extremely hard to mitigate against.
Hertzbleed is a power side-channel attack and works by taking advantage of the dynamic frequency scaling of x86 processors. As Tom's Hardware explains, a program can run at different CPU frequencies when carrying out a computing task and the power signature varies accordingly. An attacker can capture the power information, convert it to timing data, and use that to steal cryptographic keys.
As the Hertzbleed research paper (PDF) neatly summarizes, "Power side-channel attacks exploit data-dependent variations in a CPU's power consumption to leak secrets."
Hertzbleed impacts all 8th to 11th Generation Intel Core desktop and laptop processors, as well as several AMD desktop, mobile, and server processors, including Ryzen Zen 2 and Zen 3 desktop and laptop chips.
The only effective mitigation techniques have "an extreme system-wide performance impact" because they involve either disabling Turbo Boost on Intel chips and Precision Boost on AMD chips, or use modeled power instead of actual power throttling control algorithms.
The reason Hertzbleed is so serious is because it opens the door for an attacker to steal secure information by extracting AES cryptographic keys from remote servers. Neither Intel nor AMD have revealed plans to release microcode to patch the exploit, which means it remains a threat unless mitigated in software. And as the workarounds mentioned above are so detrimental to performance, it seems very unlikely they will be implemented.
Now for a bit of good news: According to Intel, the threat presented by Hertzbleed is minimized by the fact it takes hours to days to steal a cryptographic key using this attack method. In the list of mitigation techniques, Intel also lists some that come with much less of a performance impact, but only partially solve the problem.
The researchers who discovered Hertzbleed were asked by Intel to delay publicly disclosing it until yesterday, but now it is public, many more security researchers and engineers will be looking at the threat and hopefully better mitigation techniques will reveal themselves soon. And it's not like we haven't been through this before with the Spectre and Meltdown bugs.