AMD has managed to avoid much of the hubbub over the Meltdown and Spectre vulnerabilities, but it hasn't emerged completely unscathed, thanks to two class-action lawsuits filed on behalf of the company's shareholders. Now those filings have been joined by three more lawsuits, this time filed on behalf of consumers who purchased AMD's processors in the time between the issues' discovery and their disclosure.
All three lawsuits center around essentially the same thing, which is that AMD sold CPUs vulnerable to Spectre despite knowing about the vulnerability. (Another 32 lawsuits were filed against Intel for the same reason.) The suits claim that AMD breached its products' implied warranties, that the company was negligent, and that it unjustly profited from the sale of these processors.
One lawsuit said that the Google Project Zero research team “informed AMD of the existence of the Spectre Defect no later than by June 1, 2017,” yet “AMD continued to sell its processors to unknowing customers at prices much higher than what customers would have paid had they known about the Spectre Defect.”
Another suit cites research on vulnerabilities arising from speculative execution dating back over a decade to claim that CPU makers, including AMD, made changes to their CPUs in search of speed gains “with no thought as to the security vulnerabilities that were simultaneously created.” The same lawsuit claims that AMD’s performance figures for its CPUs are disingenuous because they rely on knowingly vulnerable hardware.
Although it’s technically true that AMD and Intel continued to sell chips with knowledge of the vulnerabilities, recall that an industry-wide NDA for Meltdown and Spectre was agreed upon and that AMD was merely complying with it. Had any company revealed the vulnerabilities early, it would have given the industry less time to prepare fixes, which could have put consumers at greater risk of being affected by the security flaws.
Damned if you do - damned if you don't.
Maybe recalls would have actually stopped sales, but how can you recall practically every CPU in existence? Besides that, what's the point of stopping sales if you believe you can get workable patches out before much malware actually exploits the problems? If not for the sample code getting published, it might have been even longer before Meltdown and Spectre exploits started showing up.
With what we know about Meltdown and Spectre, it is much more plausible that AMD could have been selling their chips at a higher price.
Whew lad. That's a bit tinfoil hat of you. These issues have been in the processors for a very long time and Spectre 2 has been there since... Ivybridge?
Each of the attackers will have to show a general system (windows or Linux) and an actual and repeatable successful attack of a system that has not been patched.
Non-issue for nearly all desktop usages, but some server loads can see upwards of a 30% performance reduction with the workaround.