The US Government brutally laid out the magnitude of the Intel processor vulnerabilities that affect almost everyone
- On Wednesday, Google and Intel disclosed "Meltdown" and "Spectre," two ways to exploit Intel, AMD, and ARM processors and get access to confidential data.
- CERT/CC, a federally-funded cybersecurity research team, says the only way to really eliminate the threat "requires replacing vulnerable CPU hardware."
- But there aren't many high-powered, modern processors that don't use the technology that makes processors vulnerable to Meltdown and Spectre in the first place.
On Wednesday, Google and Intel informed the world of "Meltdown" and "Spectre" - two massive security vulnerabilities in Intel, AMD, and ARM processors that affect almost every PC, tablet, and smartphone on the planet.
A short, but brutal, security update from the Computer Emergency Response Team Coordination Center (CERT/CC) lays out exactly how hard these vulnerabilities are going to be to fixed. Stamping out this issue once and for all will require drastic measures, says CERT.
"The underlying vulnerability is primarily caused by CPU implementation optimization choices. Fully removing the vulnerability requires replacing vulnerable CPU hardware," says the bulletin.
The word of CERT/CC carries a lot of weight: It's a part of the Software Engineering Institute, which is itself a non-profit that's largely funded by grants from the US Department of Defense. Indeed, CERT/CC regularly consults with the Department of Defense, Department of Homeland Security, and the FBI on cybersecurity issues.
There are operating system and software patches for Microsoft Windows, Google Android, the Linux operating system, and reportedly Apple MacOS that "mitigate the underlying hardware vulnerability," and are thus worth installing, as CERT/CC writes in its bulletin.
For more on Meltdown and Spectre, and what they mean, check out our simple guide here.
But what CERT/CC is getting at is that Meltdown and Spectre are made possible because of a processor design concept called speculative execution. That concept has been put to use in almost every Intel processor since 1995, and many AMD and ARM processors today.
To fix the problem in its entirety would require a new kind of processor that doesn't rely on speculative execution. That means that Intel and its cohorts are going to have to seriously reconsider how they design and build the next generation of processor hardware.
In the meanwhile, CERT/CC's recommendation is going to be really hard to carry out. There aren't a heck of a lot of high-powered processors out there which don't rely on speculative execution.
In fact, that's how Spectre got its name.
"As it is not easy to fix, it will haunt us for quite some time," the official Meltdown/Spectre FAQsays.
And while we wait for those processors to come around, some of the operating system patches that mitigate the risk of a Meltdown or Spectre attack are reported by researchers to carry a hit to processor performance of as much as 30%. That performance hit has critics like Linux creator Linus Torvalds in a frenzy.
In other words, Meltdown and Spectre are here to stay for a while, and it's going to be a while before the path forward is entirely clear. Intel's stock is down 2.4% in intraday trading at the time of writing.