- On Wednesday, Google and Intel disclosed “Meltdown” and “Spectre,” two ways to exploit Intel, AMD, and ARM processors and get access to confidential data.
- Originally, CERT/CC, a cybersecurity team with close ties to the United States government, said the only guaranteed way to mitigate the threat of Spectre was to replace all of the affected processors with updated ones.
- However, later on Thursday afternoon, CERT/CC withdrew that recommendation, saying merely that anybody affected should install operating system updates as soon as possible.
A highly-regarded and US government-linked cybersecurity organisation has quietly withdrawn its recommendation that users and manufacturers replace the chips in their devices to fully protect against a security vulnerability that just became public.
On Wednesday, Google and Intel informed the world of Meltdown and Spectre – two attack techniques that exploit a security vulnerability in Intel, AMD, and ARM processors that could potentially be used against almost every PC, tablet, and smartphone on the planet. Later that day, the Computer Emergency Response Team Coordination Center (CERT/CC) issued a security update that said the only way to protect against Spectre in particular would be to replace affected processors.
But on Thursday, the group deleted that recommendation. Its newly updated security bulletin simply says that “operating system and some application updates mitigate these attacks,” and provides a list of vendors that have updated their software to help guard against Meltdown and Spectre.
CERT/CC did not immediately respond to a request for comment.
The word of CERT/CC carries a lot of weight. It’s a part of the Software Engineering Institute, which is itself a non-profit that’s largely funded by grants from the US Department of Defence. Indeed, CERT/CC regularly consults with the Department of Defence, Department of Homeland Security, and the FBI on cybersecurity issues.
Google discovered the processor security vulnerability last year and informed Intel about it in June. However, the vulnerability and the related exploits didn’t become public until this week.
For more on Meltdown and Spectre, and what they mean, check out our simple guide here.
Operating system and software patches that address the exploits have already been released for Microsoft Windows, Google Android, the Linux operating system, Apple devices. More are on the way.
While CERT/CC has withdrawn its recommendation to replace processors, US-CERT – a related group that operates officially under the auspices of the Department of Homeland Security – has yet to update its own bulletin, issued earlier on Thursday. That bulletin still warns that chips may need to be replaced.
“Due to the fact that the vulnerability exists in CPU architecture rather than in software, patching may not fully address these vulnerabilities in all cases,” the bulletin says.
Meltdown and Spectre are made possible because of a processor feature called speculative execution. That feature has been used in almost every Intel processor since 1995, and is used by many AMD and ARM processors today.
The early recommendations to replace processors stemmed from the assumption that to fix the vulnerability in its entirety would require a new kind of processor that either doesn’t rely on speculative execution or implements it in a different way. The recommendations could have required Intel and other chipmakers to seriously reconsider how they design and build the next generation of processor hardware.
In the meanwhile, it looked like CERT/CC’s recommendation would be really hard to carry out. There aren’t a heck of a lot of high-powered processors out there that don’t rely on speculative execution.
In fact, that’s how Spectre got its name.
“As it is not easy to fix, it will haunt us for quite some time,” the official Meltdown/Spectre FAQ says.