CERT: Only way to fix Meltdown and Spectre vulnerabilities is to replace CPU

“As word of the massive security flaw in computer processing units spread yesterday, companies responded to reassure customers and explain the steps they are taking to deliver software patches to address the issues,” Chris O’Brien reports for VentureBeat.

“But the Computer Emergency Response Team, or CERT, has issued a statement saying there is only one way to fix the vulnerability: replace the CPU,” O’Brien reports. “CERT is based at Carnegie Mellon University and is officially sponsored by the U.S. Department of Homeland Security’s Office of Cybersecurity and Communications. ‘The underlying vulnerability is primarily caused by CPU architecture design choices,’ CERT researchers wrote. ‘Fully removing the vulnerability requires replacing vulnerable CPU hardware.'”

O’Brien reports, “They also advise users to apply the various software patches but note that this will only ‘mitigate the underlying hardware vulnerability.'”

Read more in the full article here.

MacDailyNews Take: Okay, who’s in the market for a computer of any sort – desktop or mobile – containing such flawed CPUs?

Crickets, at the very least, from the smart consumers.

When flawed, insecure, and therefore defective products are sold to consumers, recalls and/or recompense are the proper responses.

Intel et al. are going to try to sell us on a software bandaid instead of really fixing the problem properly.

BTW: Intel’s CEO Brian Krzanich sold off the majority of his shares after finding out about the irreparable chip flaws.

Let the richly-deserved class action lawsuits begin!

Security flaws put nearly every modern computing device containing chips from Intel, AMD and ARM at risk – January 4, 2018
Apple has already partially implemented fix in macOS for ‘KPTI’ Intel CPU security flaw – January 3, 2018
Intel’s massive chip flaw could hit Mac where it hurts – January 3, 2018


    1. Unfortunately Apple just confirmed that all iOS devices have the same CPU flaw. That means iPhone, iPad, AppleTV. The only device without the flaw is the Apple Watch (I’m assuming it’s processor doesn’t preemptive solve).

      1. You are wrong.
        Apple produces its own custom chip line for all of its Apple iDevice mobile devices.
        The older Mac lineup of computers is another story.
        So, Apple’s Intel Macs may be affected all the way back to the Apple Mac Intel CPU switch which started in 2006.

  1. … “replace the CPU” … in billions of computers worldwide – thus crippling the economies of several small countries and putting secure computing out of reach of many consumers who have perhaps saved up their last pennies to buy a computer as a luxury item.

    Not really an option. And, not an option for laptops with soldered in CPUs either. Even socketed CPUs in laptops are going to be difficult to replace. Computer repair shops would also be working non-stop on doing this and forever running out of thermal paste.

    So, while the only secure solution it’s not a practical solution.

    Not sure there is a practical solution.


    1. Tough shit.

      The number of products affected doesn’t matter. If it cripples the sellers of DEFECTIVE GOODS, so be it.

      “Intel et al. are going to try to sell us on a software bandaid instead of really fixing the problem properly.”

      1. Apparently Apple has already fixed the problem with High Sierra 10.13.2 and may have additional security coming with 10.13.3. Tests confirm no slow down in performance. That is one benefit Apple has. They can move fast on problems like this.

          1. “may be diminished by up to 30 percent”. It depends on the system and the patch. Sounds like CERT is just being careful. There probably are situations where the performance hit is significant.

            My understanding is that OSX hasn’t been vulnerable to most of this exploit for a while and will add some additional security. Tests have already been done and it would appear Macs see no significant slowdown. It probably isn’t zero but if it’s almost zero who cares.

            1. Yes here’s my results…

              Geekbench 3.3.2
              Hexacore Mac Pro (2013)
              single multi
              32 bit 3127 18019
              64 bit 3513 20375

              single multi
              32 bit 3258 18240
              64 bit 3571 20338

              single multi
              32 bit 3291 18569
              64 bit 3529 20001

            2. I did look at many informed opinions. It is not a difficult exploit to understand. Meltdown is taken care of and Spectre requires some browser patch.

            3. And have you seen the final fixes coming out of Apple, MS, and Google? Their impact on performance, if any? Or are some solutions “pre-approved”?

              If anything, I published my benchmark results here and so far have shown that there is no impact on performance. So far….

  2. It seems to me that even ARM chips are susceptible to the flaw, no? If so, no computing device is safe. And there is no computing device available on the market currently to replace them with. And no safe processors to replace them with. Ugh! Are Apple’s own Ax chips free of this flaw?

  3. Re:
    MDN Take:Let the richly-deserved class action lawsuits begin!
    The Republican CONgress is trying to castrate your class action rights. The Bill is already through the House (HR985) and is in the Senate- before the Judiciary Committee.

    To quote an article in The Hill:
    “The Fairness in Class Action Litigation Act was approved 220-201. It requires proof that each proposed member of a class-action suit has the same extent of injuries before a federal court can certify it.

    Rep. Jamie Raskin (D-Md.) argued the overriding purpose of the bill is to make it virtually impossible for class-action lawsuits to be brought by groups of people who have been injured by a consumer rip-off, pharmaceutical drug mistake, faulty product design, sex discrimination or sexual harassment in the workplace, or lead and asbestos poisoning.”


    Better get your Lawyers on it before Trump and his GOP CONgress gut your rights.

    1. Unbunch your panties, knee-jerker.

      H.R. 985 is designed to prevent frivolous class action lawsuits, not lawsuits with merit.

      Under the current rules, lawyers can lump together thousands or even millions of people in a single lawsuit that is so expensive and risky to litigate that companies nearly always settle. Those settlements, in turn, are nearly always lucrative for the lawyers but deliver pennies or less to their clients.

      Among other things, the class action act would introduce these reforms:

      • Lawyers only get paid if their clients get paid: Fees in class actions would be based on the amount of money class members actually collect, not the made-up number lawyers often present to the court to get their settlement approved.

      • Lifting the veil of secrecy: Lawyers would be required to give the Federal Judicial Center a full accounting of the amount of money disbursed in class action settlements, a number that is now typically known only to the lawyers themselves. This would discourage the practice of negotiating agreements that lawyers for the plaintiffs and defendants both know will reach very few class members.

      • No more “no-injury” lawsuits: Under the act, courts could certify a class action only if all the proposed class members suffered the same injury as the representative plaintiff. Unless the lawyers can identify the entire class and explain to the court how they will be paid, there is no class action.

      For too long, trial lawyer-driven class action abuses have saddled American businesses with unnecessary and burdensome lawsuits.

      And who profits from these lawsuits? The trial lawyers.

      Tell Congress: Take up and pass tort reform!

      1. Your last bullet point, which states, “Under the act, courts could certify a class action only if all the proposed class members suffered the same injury as the representative plaintiff.”, is the asinine one.

        Let’s take this current CPU fiasco as an example. The proposed representative plaintiffs may actually be harmed in that they may have been sued if their contracts with customers claim to provide some advanced level of data security, which is not an unreasonable thing for many third party data centers. However, under the requirement given above, it would be impossible to show that the thousands of data centers that had not yet been sued over security concerns suffered the exact same injury — even if the proposed class were only data center operators.

        While, in general, I agree that in the vast majority of class action suits the only people who see any real benefit are the lawyers, there are many, many scenarios where a class action lawsuit may be valid yet not be able to be brought forward simply because the plaintiff’s lawyers could not certify that *all* members of the proposed class suffered the *same injury*.

        Also the concept of “same injury” is overly broad or overly narrow depending on the judge involved. Is a gas improperly categorized by a creator that caused a person to have a lung removed but only caused another person to be on oxygen for the rest of their life a case where they had the “same injury”? Both would have been permanent deficiencies in lung capacity, but a judge could easily say that being on oxygen is not the same as having to have a lung removed. In this hypothetical case the set of individuals permanently, negatively affected by the manufacturer’s improperly documented chemical could be excluded from the class even though their injury was significant, just not “the same injury”.

        It’s definitely not a knee-jerk reaction to say that part of the bill is flawed in the extreme.

      2. First of all the law was written by Lobbyists to protect them from Asbestos and other ongoing problems- not to reform the legal system.

        As to your rant regarding abusive cases- any Judge can refuse to grant standing to any person or persons filing. That does not require a pre-emptive law, just a competent judge.

        Tort reform is a heavy handed attempt to place big money and corporate interests above the law, just as they attempt to do with mandatory arbitration. They want you to sign away your legal rights as a condition of service or purchase.

        The funny (as in strange) thing about Republicans who call themselves Libertarians is that they hold out lawsuits as the recourse against bad actors instead of regulation. When citizens are stripped of their right to sue or are limited, there ceases to be any restraint upon bad actors other than government regulation.


      3. The Intel issue is a pretty clear demonstration of the need for a class action environment where the consumer is not hindered, like the new legislation proposed.

        The issue with the Intel fault is that it lays each computer open to hacks that can harm exposed consumers. Because of the nature of the issue (and its newness) class actions against Intel will be far more popular than against Apple on the battery issue

    2. Stop being a dumb-ass pawn. Stop getting your “news” from leftist fronts.

      Lawyers and law firms have given more money to House and Senate candidates and party committees than any other industry, with an overwhelming majority going to Democrats.

      Lawyers are top donors in all of the most competitive Senate races. The top lawyer lobby in Washington is a leading bundler and PAC donor for the Democrats’ official and unofficial campaign committees.

      Trial lawyers love Democrats because Democrats advance policies that help trial lawyers make money. More regulation and more legislation often means more litigation. Democrats oppose tort reform, while Republicans support tort reform. Democrats push laws that create all sorts of legal ambiguities and liabilities, which yields profits for lawyers.

      The industry’s main lobby is the American Association for Justice — formerly known as the American Trial Lawyers Association. AAJ is an officially registered lobbyist bundler for the Democratic Senatorial Campaign Committee and directly contributing $60,000 to the DSCC.

      Each cycle, contributions from lawyers/law firms favor Democrats by a significant margin:

      1. Here’s another “brutal truth.” The defendants in product liability suits have lawyers, too. In fact, the defendants typically have more lawyers, and their lawyers are better paid than the plaintiff’s lawyers. The defense lawyers also have access to all the assets of the corporate defendant to provide or fund research and expert witnesses, while the plaintiffs’ lawyers are generally expected to fund all of that out of their own pockets.

        The plaintiffs’ lawyers will be reimbursed for expenses if they win, of course, but ONLY if they win… just as they will only be paid any attorney’s fees if they win. The defense lawyers bill their expenses and hourly fees, and collect them as the hours are performed.

        Filing suit is expensive. Financing a lawsuit is expensive. Unless they are already wealthy, plaintiffs cannot afford to upfront those costs. Lawyers cannot afford to advance the expenses unless the prospect of return exceeds the probable cost of litigation. When a faulty product causes a consumer less than thousands of dollars in damages, it is almost never cost-effective to file an individual suit. It is even less cost-effective to file millions of individual suits.

        The solution for that is to allow class-action suits in which the entire class can share the cost of litigation out of their collective proceeds. The alternative is for product liability to be a wrong without an effective remedy. Restricting class action suits is a preemptive strike on behalf of the manufacturers of bad products.

        Because they are paid whether they win or lose, the money available from corporate lawyers and their clients to fund defense-oriented lobbyists dwarfs the cash available to plaintiff-oriented lobbyists. Legislation like this bill reflects that. Here in Texas, we were promised that “lawsuit reform” would bring down insurance rates and associated costs. In fact, the near abolition of medical malpractice suits has handed bad doctors a license to kill without significantly affecting the cost of insurance or medical care.

        There are a lot of law-school-trained legislators on the state level and in Congress, but you will find that most of them represented corporations when they were in private practice, not individual plaintiffs. Those with a criminal law background were overwhelmingly prosecutors and did not represent individual clients. More judges come out of government or corporate practice than out of individual representation as well.

        Blaming the plantiffs’ bar for product liability and malpractice suits is like blaming a hit-and-run victim for crossing the street just when a rich guy wanted to run a red light.

      2. The Hill is hardly a leftist news front.

        Are some trial lawyers abusive of the system? Yes.
        Does that mean we need to gut the legal rights of every citizen to sue? No.

        Since some drivers flout the speed laws and abuse the highways, by your logic we should all be banned from the Interstate. Sounds pretty stupid.

        Most of the people bitching about Tort law have been sued because they deserved it. It’s cheaper to buy a Politician than to do the right thing.

  4. There, of course, there is another way to solve this problem. It is a two step process.

    Step 1: Start thinking about the internet differently then we do.


    Along with step two would be a huge change in the economics of the web. Things like “analytics” wouldn’t be allowed to be sent from you to a web server. What if the only things that could be allowed to be sent FROM your computer to a web server was your screen size, account name and password and the ONLY thing allowed to be sent from a web-server TO YOU would be something that could be displayed on the screen? No cookies, no files, nothing.

    When you needed to receive a file, it would be FTP like. When programs needed to be sent, it would be an Apple App store like situation where the SENDER was responsible to make sure the program (or app) wasn’t malicious. Everyone who sends apps through the web or collects money on the web would be required to have an “agent” with a location known to local authorities. If I buy an APP from a business in Middle America, City, USA and that APP causes something bad to happen to my computer, I call the Sheriff in Middle America, City and that Agent is arrested and stays in jail until my computer is made right. Foreign companies would still have to have local agents in America.

    This is a dramatic change in how the web functions and how people think about the web. I realize that most will say “that’s impossible” but, it is really a way to make the web safer. In my view, the real problem is people don’t think about the web as they should and we have been led around with a ring in our nose by computer operating system and hardware vendors, web operators that generally don’t have our best interests at heart, and (sometimes) criminals who think they can get away with their crimes through being anonymous and outside the jurisdiction of the law. Maybe this CPU problem will wake people up. Maybe it is time to DEMAND something very different then we’ve had in the past.

    1. Let me be a little clearer: there would be a distinction between “data” and “code” for web based activities. The code would already be on your computer, the data could be sent. For example, a movie player (code) would already be on your computer. The non-malicious functioning of that movie player would be the responsibility of the provider of that movie player. The movie itself would be the data. It would be ILLEGAL to include code in that movie. Agents would be legally responsible for both the code and data. Individuals would be held responsible. Criminal activity would quickly be identified. Penalties would be severe.

      I realize that fundamentally coding is done with “objects” that can contain both code and data. What I’m saying we need to think differently about that.

  5. MDN, I am certain Intel prefer the bandaid approach can you imagine the cost and logistics to replace CPU’s worldwide? Yikes!
    But how do you know the problem can even be fixed in a current CPU architecture ? What I mean is Intel may not be able to take the Broadwell Xeon E5-2600v4 series for example and fix it there and release a fixed E5-2600v4 (basically a new stepping of same CPU series). Software and microcode fixes may be the only hope. We don’t know and I don’t think you do either.
    It will certainly interesting to watch how this plays out with respect to how Intel will handle the situation. The software patches are known to hurt performance, some workloads are affected worse than others. That may not sit well with the industry in general once these roll out and the impact is felt everywhere. Intel may be forced to do more to fix it where possible.

  6. I’m not sure the manufacturing capacity exists to replace all the CPUs affected, no matter how just that idea may seem. In this case, we may all simply have to bend to reality. We’re going to have a problem (on some level) for a minimum of the next 10 years.

  7. NOTE:

    As has been added to the source article, CERT has withdrawn its original statement. This is their NEW statement:

    Updated at 2 p.m. Pacific: The CERT Division of the Software Engineering Institute at Carnegie Mellon University issued the following statement about the change to the vulnerability recommendations:

    “We are not currently recommending hardware replacement as a response to the Meltdown and Spectre vulnerabilities. The issues are caused by the complex interaction between CPU hardware and operating system software, and our updated advice is to apply operating system updates when available. Our goal is to provide accurate, actionable advice based on available information and our evolving understanding. As a result, we sometimes update Vulnerability Notes as we refine our recommendations.

    Our knowledge of these vulnerabilities is developing quickly through our interactions with vendors and the security community as well as through our own testing and analysis. Vulnerability Note VU#584653 is the product of ongoing analysis and is being updated regularly as our understanding changes.”

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.