Updated at 2:30 p.m. Pacific: CERT has dropped its advice that users replace the CPU. See details below.
As word of the massive security flaw in computer processing units spread yesterday, companies responded to reassure customers and explain the steps they are taking to deliver software patches to address the issues.
But the Computer Emergency Response Team, or CERT, has issued a statement saying there is only one way to fix the vulnerability: replace the CPU. CERT is based at Carnegie Mellon University and is officially sponsored by the U.S. Department of Homeland Security’s Office of Cybersecurity and Communications.
“The underlying vulnerability is primarily caused by CPU architecture design choices,” CERT researchers wrote. “Fully removing the vulnerability requires replacing vulnerable CPU hardware.”
They also advise users to apply the various software patches but note that this will only “mitigate the underlying hardware vulnerability.”
The pronouncement from CERT doesn’t carry any regulatory obligation for the companies whose CPUs are affected. But the vendors that CERT lists as being affected include many of the biggest names in tech: AMD, Apple, ARM, Google, Intel, Microsoft, and Mozilla.
Together, those companies account for a massive portion of the chips used in computers and smartphones. Were they to come under legal or public pressure to provide replacement CPUs, the costs would be almost impossible to calculate.
For now, the companies have to hope that the software patches reduce security risk sufficiently to avoid widespread legal actions and further public backlash.
Updated at 2:30 a.m. Pacific with new CERT information and Intel comment: One day after recommending that the only way to address the security issue was to replace the CPU, CERT has dropped that recommendation entirely. They also rephrased the section about applying software updates to read: “Apply updates: Operating system and some application updates mitigate these attacks.” Here, CERT also modified the line that previously advised how to “mitigate the underlying hardware vulnerability.”
VentureBeat was alerted to the changes by Intel spokeswoman Agnes Kwan. In an email, Kwan said, “CERT updated its vulnerability note to correct some inaccuracies.” Kwan also wrote, “Note that we are also working with CERT to replace the mention of ‘some application updates’ in this latest version, as it’s inaccurate.”
We’ve reached out to CERT and Intel to clarify the reasons for changing the advice regarding CPU replacement.
It’s possible that part of the issue here might be that there are no CPUs being made that don’t have the underlying flaw and therefore there are no replacements that would fix the issue.
Updated at 2 p.m. Pacific: The CERT Division of the Software Engineering Institute at Carnegie Mellon University issued the following statement about the change to the vulnerability recommendations:
“We are not currently recommending hardware replacement as a response to the Meltdown and Spectre vulnerabilities. The issues are caused by the complex interaction between CPU hardware and operating system software, and our updated advice is to apply operating system updates when available. Our goal is to provide accurate, actionable advice based on available information and our evolving understanding. As a result, we sometimes update Vulnerability Notes as we refine our recommendations.
Our knowledge of these vulnerabilities is developing quickly through our interactions with vendors and the security community as well as through our own testing and analysis. Vulnerability Note VU#584653 is the product of ongoing analysis and is being updated regularly as our understanding changes.”
In a subsequent email, Intel spokesperson Agnes Kwan clarified that “operating system and firmware patches mitigate all three variants.”