AMD has managed to avoid much of the hubbub over the Meltdown and Spectre vulnerabilities, but it hasn't emerged completely unscathed, thanks to two class-action lawsuits filed on behalf of the company's shareholders. Now those filings have been joined by three more lawsuits, this time filed on behalf of consumers who purchased AMD's processors in the time between the issues' discovery and their disclosure.
All three lawsuits center around essentially the same thing, which is that AMD sold CPUs vulnerable to Spectre despite knowing about the vulnerability. (Another 32 lawsuits were filed against Intel for the same reason.) The suits claim that AMD breached its products' implied warranties, that the company was negligent, and that it unjustly profited from the sale of these processors.
One lawsuit said that the Google Project Zero research team “informed AMD of the existence of the Spectre Defect no later than by June 1, 2017,” yet “AMD continued to sell its processors to unknowing customers at prices much higher than what customers would have paid had they known about the Spectre Defect.”
Another suit cites research on vulnerabilities arising from speculative execution dating back over a decade to claim that CPU makers, including AMD, made changes to their CPUs in search of speed gains “with no thought as to the security vulnerabilities that were simultaneously created.” The same lawsuit claims that AMD’s performance figures for its CPUs are disingenuous because they rely on knowingly vulnerable hardware.
Although it’s technically true that AMD and Intel continued to sell chips with knowledge of the vulnerabilities, recall that an industry-wide NDA for Meltdown and Spectre was agreed upon and that AMD was merely complying with it. Had any company revealed the vulnerabilities early, it would have given the industry less time to prepare fixes, which could have put consumers at greater risk of being affected by the security flaws.