The United States Computer Emergency Readiness Team (US-CERT) said in an advisory published this week that addressing the Meltdown and Spectre vulnerabilities discovered in Intel, AMD, and ARM processors doesn’t necessarily come down to software patches, but to replacing the CPUs altogether.
The awkward advice posted on its official website has already been removed, but a cached version of the page (also shown in a screenshot attached to this article) still includes the reference to the recommended hardware replacement.
“The underlying vulnerability is primarily caused by CPU architecture design choices. Fully removing the vulnerability requires replacing vulnerable CPU hardware,” US-CERT said in the original advisory.
Software updates should do the job
The updated support document now only recommends to apply software updates, with a table grouping links to official patches from companies like Google, Microsoft, Apple, Mozilla, and others.
“To execute code locally, an attacker would require a valid account or independent compromise of the target. Attacks using JavaScript in web browsers are possible. Multi-user and multi-tenant systems (including virtualized and cloud environments) likely face the greatest risk. Systems use to browse arbitrary web sites are also at risk. Single-user systems that do not readily provide a way for attackers to execute code locally face significantly lower risk,” the US-CERT notes.
Read more: US-CERT Says Fixing Meltdown & Spectre Involves Replacing Your CPU
The awkward advice posted on its official website has already been removed, but a cached version of the page (also shown in a screenshot attached to this article) still includes the reference to the recommended hardware replacement.
“The underlying vulnerability is primarily caused by CPU architecture design choices. Fully removing the vulnerability requires replacing vulnerable CPU hardware,” US-CERT said in the original advisory.
Software updates should do the job
The updated support document now only recommends to apply software updates, with a table grouping links to official patches from companies like Google, Microsoft, Apple, Mozilla, and others.
“To execute code locally, an attacker would require a valid account or independent compromise of the target. Attacks using JavaScript in web browsers are possible. Multi-user and multi-tenant systems (including virtualized and cloud environments) likely face the greatest risk. Systems use to browse arbitrary web sites are also at risk. Single-user systems that do not readily provide a way for attackers to execute code locally face significantly lower risk,” the US-CERT notes.
Read more: US-CERT Says Fixing Meltdown & Spectre Involves Replacing Your CPU
