HomeWinBuzzer NewsCERT: "Meltdown and Spectre” CPU Security Flaw Can Only Be Fixed by...

CERT: “Meltdown and Spectre” CPU Security Flaw Can Only Be Fixed by Hardware Replacement

US government-backed cybersecurity team says the Meltdown and Spectre vulnerability can only be fixed by removing the affected CPU. Such an action would take a massive toll on the industry.


Yesterday it emerged a major processor-level kernel security flaw in CPUs could not be simply patched. Instead, a workaround for the so-called could severely compromise hardware performance. While cloud giants , , and say their systems are mostly protected, CERT says the only way to solve the issue it to change the affected CPU.

CERT is the Computer Emergency Response Team, based at Carnegie Mellon University. The team is sponsored by the U.S. Department of Homeland Security Office of and Communications. CERT says the only way to properly bypass the flaw is a processor switch.

“The underlying vulnerability is primarily caused by CPU architecture design choices,” CERT researchers say in a blog post. “Fully removing the vulnerability requires replacing vulnerable CPU hardware.”

The Meltdown and Spectre CPU flaw is embedded in the kernel operations within a system. When a command is sent to perform any task, the CPU passes control to the kernel, which stays below the surface in processes even once the CPU takes back control. This is to ensure smoother and faster performance, but also means systems are potentially at risk at kernel level.

In its newest chips, has overcome the problem with the Kernel Page Table Isolation (PTI) workaround. PTI places the kernel in a dedicated address space, making it unavailable to running processes. However, this comes are a costly price as is severely compromises performance.

Intel has yet to discuss this flaw, waiting under an embargo until the end of this month. If the PTI workaround is the only answer, it could prove problematic to companies that rely on fast processing. Some of those companies are the cloud giants like Amazon, Microsoft, and Google.

Incoming Regulatory Pressure?

In its advisory, CERT says users should apply patches, but these will only “mitigate the underlying hardware vulnerability.”

It is worth pointing out that CERT has no regulatory control despite being government-related. In other words, the team is not mandating companies and customers to remove the CPUs. However, considering the potential significance of this problem, some regulatory pressure from other departments is not out of the question.

The vulnerability is so widespread, it could affects most machines on the planet. It certainly affects all tech giants, such as , Google, AMD, Microsoft, Amazon, and of course Intel. If these giants were forced to replace CPUs, the costs would be truly massive.

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.

Recent News