Intel Hit With Three Class Action Lawsuits Related To Security Vulnerability

It's been a few days since The Register first reported that all Intel x86-64x processors were subject to a severe security vulnerability and already Intel has been hit with at least three separate class action lawsuits related to the vulnerability.

Image: Alex Cranz/Gizmodo

The Register first reported the news on January 2nd, noting that the solution to fixing the vulnerability could result in slowdown of the affected computers. Intel has since claimed that any performance penalties would be negligible and today Google, which has implemented a fix on its affected servers (which host its cloud services, including Gmail) wrote that, "On most of our workloads, including our cloud infrastructure, we see negligible impact on performance."

Plaintiffs in three different states disagree. As first noted, a class action complaint was filed January 3 in United States District Court for the Northern District of California.

Since then Gizmodo has found two additional class action complaints filed today (just eleven minutes apart) -- one in the District of Oregon and another in the Southern District of Indiana.

All three complaints cite the security vulnerability as well as Intel's failure to disclose it in a timely fashion. They also cite the supposed slowdown of purchased processors. However that is still up for debate.

In a press release today, Intel claimed it has "issued updates for the majority of processor products introduced within the past five years." Moreover, it says the performance penalty is not as significant as The Register initially claimed.

Intel continues to believe that the performance impact of these updates is highly workload-dependent and, for the average computer user, should not be significant and will be mitigated over time. While on some discrete workloads the performance impact from the software updates may initially be higher, additional post-deployment identification, testing and improvement of the software updates should mitigate that impact.

This claim -- of things not being as dire as they seemed -- was seconded by Google today. In a post on its Security Blog, Google claimed "we have found that microbenchmarks can show an exaggerated impact," which seems to suggest that localised attempts to benchmark affected processors before and after the fix has been applied may not yield reliable results.

Intel continues to claim it is not the only CPU maker affected and has posited that CPUs made by AMD, Qualcomm, and ARM (Apple uses ARM architecture in its iPhone and iPad devices) are all potentially affected.

If you're not sure if your device has been affected, be sure to back it up and then perform all available updates.

Here are the three complaints, in full.



    I wonder exactly what "loss of harm" these plaintiffs suffered and how they will demonstrate it given the limited time this flaw was known of and given that the claimed performance hit seemed to be all fear mongering.

      Well I can't speak for these class actions, but I would suggest that if there is a demonstrable impact to CPU's that were sold in Australia, Intel are likely to have breached the Australian Consumer Law because the product is indisputably not fit for purpose (it contains a serious defect that renders consumers suspectible to fraudulent activity.) Where this gets interesting is whether a third party update that "neuters" the problem mitigates Intel's liability, I am not convinced that it will. If these patches significantly impacts my computer performance when push comes to shove, I certainly will be demanding a remedy, as it would be a major failure.

        Okay. Good luck.

        (Benchmarks suggest little to no difference...)

      "limited time" you say? They've known about it since June last year.

      That being said, all initial reports coming out so far indicate negligible performance impacts but @volantares is correct in his observation that they have breached Australian Consumer Law with the issue. The flaw is only being bandaid fixed with a 3rd party solution, which can easily be reverse engineered by software engineers or hackers to determine exactly what the vulnerability is, then create targeted malware/viruses to exploit it on vulnerable/unpatched machines.

      Last edited 08/01/18 7:25 pm

        The general public have only known about this for a few weeks. What have they lost, exactly? What damages have they suffered?

        So far there have been no confirmed incidents of these flaws being exploited in the wild nor data loss resulting from them. Has Microsoft been subject to ACL action every time Windows has a security flaw and has been patched?

    This is stupid, if this does go through and the plaintiffs won. What's next? Are they going after Microsoft for the large amount of Windows vulnerability? Normally I prefer it when there is a security flaw in a product, the companies let the public know immediately, however if the flaw play a major security risk, I'll understand if researchers and engineeres want to keep it in the dark until a patch gets done.

      This seems like the flaw was known about and was actively been worked on by a large number of vendors from chip makers through to software companies so while Intel (and others) didn't publicly disclose the issue they were working to fix it rather than just hiding/ignoring it like other companies have done in the past.

      The difference here is microsoft updates their products when vulnerabilities are found, Intel isn't doing that.

      It's probably less like software vulnerabilities, and more like defects in cars. You can't always "patch away" problems in cars, sometimes you need to work around it. What automakers do in this circumstance is recall the cars and implement the required fix or replacement. Intel should be going down this path.

Join the discussion!