AMD Gets Hit With Two Class Action Lawsuits For Spectre Vulnerabilities, Intel Hit With Four For Meltdown & Spectre
It looks like it is lawsuit galore as lawyers smell blood in the water, since both AMD and Intel have been struck with x86 bug lawsuits. While it is fairly straightforward as far as Intel is concerned, AMD's lawsuits are on a slightly different topic: they allege the company misrepresented the risk and changed its stance in the second update to security (more on this below). While there hasn't been any response from Intel, AMD has stated that these claims are completely baseless and will fight them in court.
Lawsuit galore amidst x86 bug fallout: Intel hit with 4 lawsuits for x86 bug, AMD with 2 for alleged material misstatement
Before we go any further, here is a list of lawsuits against each company:
- Rosen Law Firm v Advanced Micro Devices for materially misleading statement
- Pomerantz Law Firm v Advanced Micro Devices for materially misleading statement
- Brower Piven v Intel Corporation related to Intel x86 bug
- Levi & Korsinsky, LLP v Intel Corporation related to Intel x86 bug
- Kessler Topaz Meltzer & Check, LLP v Intel Corporation related to Intel x86 bug
- Bronstein, Gewirtz & Grossman, LLC v Intel Corporation frelated to Intel x86 bug
Let's start at the beginning with Intel. Unless you have been living under a rock on the moon, you would know about the x86 CPU vulnerabilities detected by Google Project Zero that affect pretty much every modern processor on Earth that was produced in the last decade. These were divided into 3 variants: Variant 1, Variant 2 and Variant 3. Variant 1 and 2 were dubbed "Spectre" and Variant 3 was dubbed "Meltdown". Variant 1 'Spectre' was a bug that made pretty much every modern processor vulnerable (including AMD) while Variant 3 is a bug which affects Intel, ARM, Qualcomm and Apple and that utilizes some advanced speculative execution features. Since AMD does not use these features in its architecture, its pretty much immune to Variant 3.
So was there an escalation of risk from AMD's first statement to the second? Let's find out
So the point of discussion then becomes the Variant 2 'Spectre'. It is also the point of conflict and confusion for pretty much everyone involved. When the original statements were released, AMD stated the following about the three types of attack vectors:
- Variant 1 (Spectre): Resolved by software / OS updates to be made available by system vendors and manufacturers. Negligible performance impact expected.
- Variant 2 (Spectre): Differences in AMD architecture mean there is a near zero risk of exploitation of this variant. Vulnerability to Variant 2 has not been demonstrated on AMD processors to date.
- Variant 3 (Meltdown): Zero AMD vulnerability due to AMD architecture differences.
The implication from these statements is clear, AMD is vulnerable to 1 has "near zero risk" to 2 and is immune to 3. In other words AMD has stated that the only attack vector clients need to worry about is Spectre variant 1. A few days later after more details were released, AMD provided an updated statement on the same count:
GPZ Variant 1 (Bounds Check Bypass or Spectre) is applicable to AMD processors.
- We believe this threat can be contained with an operating system (OS) patch and we have been working with OS providers to address this issue.
- Microsoft is distributing patches for the majority of AMD systems now.
- Linux vendors are also rolling out patches across AMD products now.
GPZ Variant 2 (Branch Target Injection or Spectre) is applicable to AMD processors.
- While we believe that AMD’s processor architectures make it difficult to exploit Variant 2, we continue to work closely with the industry on this threat. We have defined additional steps through a combination of processor microcode updates and OS patches that we will make available to AMD customers and partners to further mitigate the threat.
- AMD will make optional microcode updates available to our customers and partners for Ryzen and EPYC processors starting this week.
- Linux vendors have begun to roll out OS patches for AMD systems, and we are working closely with Microsoft on the timing for distributing their patches. We are also engaging closely with the Linux community on development of “return trampoline” (Retpoline) software mitigations.
GPZ Variant 3 (Rogue Data Cache Load or Meltdown) is not applicable to AMD processors.
- We believe AMD processors are not susceptible due to our use of privilege level protections within paging architecture and no mitigation is required.
Here is an extract from one of the lawsuits:
In a blog post, the Project Zero team stated that one of these security flaws—dubbed the “Spectre” vulnerability—allows third parties to gather passwords and other sensitive data from a system’s memory. In response to the Project Zero team’s announcement, a spokesperson for AMD advised investors that while its own chips were vulnerable to one variant of Spectre, there was “near zero risk” that AMD chips were vulnerable to the second Spectre variant.
Then, on January 11, 2018, post-market, AMD issued a press release entitled “An Update on AMD Processor Security,” acknowledging that its chips were, in fact, susceptible to both variants of the Spectre security flaw.
AMD has understandably responded with a "these claims are completely baseless" position. So in this updated statement, AMD is still vulnerable to Variant 1 like before and still immune to Meltdown like before. However, there is a change of wording regarding Variant 2. It went from 'near zero risk' to rolling out optional patches for mitigating risk. So the question is, did AMD materially misstate the situation? Well no, it didn't change its statement at all, even though it might appear they did.
As far as I can tell, there hasn't been any change to the near-zero risk statement since it was based on the fact that this specific vulnerability hasn't been demonstrated on AMD systems to date. This is still true which means no escalation of risk took place between the first statement and the second.
That said, some enterprise and consumer clients quite understandably wanted a mitigating patch regardless, preemptively and not waiting for an attack vector to be developed. This is why AMD is providing optional microcode updates to consumer and enterprise partners. The statement might seem confusing and I can see why lawyers would pounce on it, but an optional patch to mitigate a future potential attack vector is not the same thing as accepting the vulnerability exists right now. The key word here is optional. If there was actually a material re-statement or an escalation of risk, such a patch would not be optional - as is the case with Spectre Variant 1.
The problem lies in AMD declaring Vulnerability 2 applicable to its processors - which leaves it wide open to the interpretation that lawyers have already taken. In any case, lawsuits can swing either way and it looks like both Intel and AMD are in for a ride, with Intel dealing with 4 class actions and AMD with 2.