Updated at 2:30 p.m. Pacific: CERT has dropped its advice that users replace the CPU. See details below.
As word of the massive security flaw in computer processing units spread yesterday, companies responded to reassure customers and explain the steps they are taking to deliver software patches to address the issues.
But the Computer Emergency Response Team, or CERT, has issued a statement saying there is only one way to fix the vulnerability: replace the CPU. CERT is based at Carnegie Mellon University and is officially sponsored by the U.S. Department of Homeland Security’s Office of Cybersecurity and Communications.
“The underlying vulnerability is primarily caused by CPU architecture design choices,” CERT researchers wrote. “Fully removing the vulnerability requires replacing vulnerable CPU hardware.”
They also advise users to apply the various software patches but note that this will only “mitigate the underlying hardware vulnerability.”
The pronouncement from CERT doesn’t carry any regulatory obligation for the companies whose CPUs are affected. But the vendors that CERT lists as being affected include many of the biggest names in tech: AMD, Apple, ARM, Google, Intel, Microsoft, and Mozilla.
Together, those companies account for a massive portion of the chips used in computers and smartphones. Were they to come under legal or public pressure to provide replacement CPUs, the costs would be almost impossible to calculate.
For now, the companies have to hope that the software patches reduce security risk sufficiently to avoid widespread legal actions and further public…