14 DAY TRIAL // The United States Computer Emergency Readiness Team (US-CERT) said in an advisory published this week that addressing the Meltdown and Spectre vulnerabilities discovered in Intel, AMD, and ARM processors doesn’t necessarily come down to software patches, but to replacing the CPUs altogether.
The awkward advice posted on its official website has already been removed, but a cached version of the page (also shown in a screenshot attached to this article) still includes the reference to the recommended hardware replacement.
“The underlying vulnerability is primarily caused by CPU architecture design choices. Fully removing the vulnerability requires replacing vulnerable CPU hardware,” US-CERT said in the original advisory.
Software updates should do the job
The updated support document now only recommends to apply software updates, with a table grouping links to official patches from companies like Google, Microsoft, Apple, Mozilla, and others.
“To execute code locally, an attacker would require a valid account or independent compromise of the target. Attacks using JavaScript in web browsers are possible. Multi-user and multi-tenant systems (including virtualized and cloud environments) likely face the greatest risk. Systems use to browse arbitrary web sites are also at risk. Single-user systems that do not readily provide a way for attackers to execute code locally face significantly lower risk,” the US-CERT notes.
Software companies have already updated their solutions to prevent JavaScript-based attacks, including Microsoft, Mozilla, and Google. While the first two shipped updates or new versions of their browsers to block exploits, the search giant only recommended users to configure Site Isolation, as a fully-featured patch would only land later this month with Chrome 64.
Firmware and software updates have already been shipped by the majority of companies, and Intel says that by the end of the next week, some 90% of the devices should already be able to install patches to block Meltdown and Spectre attacks.
Microsoft will also publish Patch Tuesday updates on January 9, and Windows 7 and 8.1 fixes pushed via Windows Update will be part of the rollout.