Experts say software patches may remedy Meltdown flaw
A US government-sponsored cyber security team has stepped back from its drastic warning about the impact of a computer security problem that affects nearly all computers and smartphones.
The group at Carnegie Mellon University, which is backed by the Department of Homeland Security, advised computer users to apply software patches, or repairs, as a solution to the problem. It said these would “mitigate” the risk of attacks, though it did not say whether it believed they would fully resolve the issue.
The cyber security group, known as CERT, had earlier warned companies that the only way to fully protect themselves was to replace their computer systems.
That unusual warning had appeared to present companies with a choice of embarking on an expensive IT overhaul or risking an attack, once hackers learnt how to take advantage of two vulnerabilities made possible by the flaw, dubbed Meltdown and Spectre. CERT had advised computer users to replace the main processors in their computer systems, saying: “Fully removing the vulnerability requires replacing vulnerable CPU hardware.” By Thursday afternoon, however, the group had changed its position.
The reversal highlights the extent to which cyber security experts are struggling to come to terms with the extent of the problem and possible remedies, even though it was uncovered by a Google researcher last year and reported to some big tech companies six months ago.
The predicament, revealed this week, stems from serious flaws that have been discovered in chips made by Intel, AMD and Arm, and used in almost all computers, servers and smartphones. The flaws make it possible for a hacker to steal data from a computer’s core memory or from other programs running on the system. It results from a common chip design, making it more deeply embedded in IT systems than the usual software bugs that led to security failures.
Some problems can be mitigated by operating system updates, which are being rushed out by tech companies