Three Class-Action Lawsuits Target AMD Over Spectre Vulnerability

By Leon Chan
published

AMD has managed to avoid much of the hubbub over the Meltdown and Spectre vulnerabilities, but it hasn't emerged completely unscathed, thanks to two class-action lawsuits filed on behalf of the company's shareholders. Now those filings have been joined by three more lawsuits, this time filed on behalf of consumers who purchased AMD's processors in the time between the issues' discovery and their disclosure.

All three lawsuits center around essentially the same thing, which is that AMD sold CPUs vulnerable to Spectre despite knowing about the vulnerability. (Another 32 lawsuits were filed against Intel for the same reason.) The suits claim that AMD breached its products' implied warranties, that the company was negligent, and that it unjustly profited from the sale of these processors.

One lawsuit said that the Google Project Zero research team “informed AMD of the existence of the Spectre Defect no later than by June 1, 2017,” yet “AMD continued to sell its processors to unknowing customers at prices much higher than what customers would have paid had they known about the Spectre Defect.”

Another suit cites research on vulnerabilities arising from speculative execution dating back over a decade to claim that CPU makers, including AMD, made changes to their CPUs in search of speed gains “with no thought as to the security vulnerabilities that were simultaneously created.” The same lawsuit claims that AMD’s performance figures for its CPUs are disingenuous because they rely on knowingly vulnerable hardware.

Although it’s technically true that AMD and Intel continued to sell chips with knowledge of the vulnerabilities, recall that an industry-wide NDA for Meltdown and Spectre was agreed upon and that AMD was merely complying with it. Had any company revealed the vulnerabilities early, it would have given the industry less time to prepare fixes, which could have put consumers at greater risk of being affected by the security flaws.

Leon Chan
11 Comments Comment from the forums
  • TwoSpoons100
    Can you imagine the screaming if AMD and Intel had halted all CPU sales for six months while they fixed the issue? That probably would have resulted in even more lawsuits as hardware vendors were driven to the wall.
    Damned if you do - damned if you don't.
    Reply
  • blazorthon
    If you wanted to sue over the fact that these vulnerabilities even happened so badly and were present for such a long time, then okay, but complaining about the companies still selling them between officially learning of the problems and making it publicly known is excessive. The same goes for suing Intel over that. AMD and Intel couldn't have simply stopped selling the chips because the retailers, OEMs, and such would have continued selling the chips or selling products containing the chips.

    Maybe recalls would have actually stopped sales, but how can you recall practically every CPU in existence? Besides that, what's the point of stopping sales if you believe you can get workable patches out before much malware actually exploits the problems? If not for the sample code getting published, it might have been even longer before Meltdown and Spectre exploits started showing up.
    Reply
  • steve15180
    At this point, I just don't get it. The stock price barely changed, Meltdown is a non issue, Spectre 1 is a software issue that has been addressed (so far), and Spectre 2 has not been shown to work on AMD cpus (at least Zen, which was for sale). I'll be surprised if their not laughed out of court.
    Reply
  • mihen
    These lawsuits are reliant on people ignorant to technology. So there is always a chance to make a buck. The only real issue with AMD processors in these regards were on older Athlon processors. They really don't have a case if the judge is technically literate.
    With what we know about Meltdown and Spectre, it is much more plausible that AMD could have been selling their chips at a higher price.
    Reply
  • cryoburner
    20732839 said:
    If you wanted to sue over the fact that these vulnerabilities even happened so badly and were present for such a long time, then okay, but complaining about the companies still selling them between officially learning of the problems and making it publicly known is excessive. The same goes for suing Intel over that.
    I somewhat agree, but I will say that Intel's rushed release of Coffee Lake months earlier than many were expecting based on earlier roadmaps possibly makes more sense if you consider that they might have wanted to get it out the door and reviewed before Spectre and Meltdown came to light and potentially impacted performance. Releasing the processors in early 2018, right around the time the exploits are unveiled and performance-sapping patches released might have put a more negative vibe around the launch. It's also possible that they could have simply wanted to accelerate their schedule so that they could launch Ice Lake with in-silicon fixes before this year is through.
    Reply
  • blackfist0
    These backdoors are intentional. The governments of the world want access to your PC and AMD and Intel are willing to comply. Only when the problem is in the public eye will they do something about it. Expect a new loophole created in next gen chips to allow governments to spy on you again.
    Reply
  • blackfist0
    These backdoors are intentional, They are also built into hardrive firmware. That is how Iran became victim of StuxNet. The governments of the world want access to your PC and AMD and Intel are willing to comply. Only when the problem is in the public eye will they do something about it. Expect a new loophole created in next gen chips to allow governments gain access again.
    Reply
  • BulkZerker
    These backdoors are intentional. The governments of the world want access to your PC and AMD and Intel are willing to comply. Only when the problem is in the public eye will they do something about it. Expect a new loophole created in next gen chips to allow governments to spy on you again.

    Whew lad. That's a bit tinfoil hat of you. These issues have been in the processors for a very long time and Spectre 2 has been there since... Ivybridge?
    Reply
  • lsatenstein
    According to AMD, the possibility of succumbing to a Spectre attack is less than 1 in 10 million. It needs an attacker who uses random tests, as a sequential test (0 to infinity)should fail.

    Each of the attackers will have to show a general system (windows or Linux) and an actual and repeatable successful attack of a system that has not been patched.
    Reply
  • Kewlx25
    20733032 said:
    At this point, I just don't get it. The stock price barely changed, Meltdown is a non issue, Spectre 1 is a software issue that has been addressed (so far), and Spectre 2 has not been shown to work on AMD cpus (at least Zen, which was for sale). I'll be surprised if their not laughed out of court.

    Non-issue for nearly all desktop usages, but some server loads can see upwards of a 30% performance reduction with the workaround.
    Reply