Intel faces class-action lawsuits over failure to disclose Meltdown and Spectre security flaws in time

While the tech world scrambles to fix the most worrying CPU security flaw in decades, Intel is getting sued for failing to disclose the vulnerability in time.

Meltdown and Spectre are a related family of vulnerabilities that are found in virtually every processor made in the last 20 years or so. Of the two vulnerabilities, Meltdown is most relevant to Intel as it doesn’t affect other chipmakers to the same extent. If exploited, the vulnerability can let hackers steal sensitive data directly from the processor.

Intel processor

Intel processor

Unfortunately for Intel chip users, the fix for the Meltdown vulnerability can have a significant impact to computing performance in certain niche workloads, thereby negatively affecting certain businesses. So far, real-world tests have not shown any significant impact to performance, however.

Recent reports have revealed that Meltdown also affects Apple CPUs, including those found in Apple’s mobile devices. It will also affect ARM’s upcoming high-performance Cortex A75 core.

As per a Guardian report, Intel is facing class-action lawsuits in three separate states for failing to publicly disclose the vulnerability in time. The law firms involved expect more lawsuits, especially from consumers.

The Guardian also quotes several security experts, who suggest that Intel might be forced to renegotiate processor prices with big name customers like Google, Amazon and Microsoft, which is indeed the more worrying issue, especially now that rival AMD’s offerings are looking more secure.

Intel acknowledged the existence of the lawsuits but refused to comment further.

As far as we can tell, however, the lawsuits have no teeth. The vulnerability is inherent to the design of virtually every modern processor and even affects designs made by IBM many years ago. The Meltdown vulnerability only affects Intel because of a design decision that was made before the vulnerability was discovered.

It’s also important to note that the vulnerability was discovered by third-party researchers, including Google Project Zero, in June 2017. All affected parties were notified of the vulnerability and neither of said parties could disclose the vulnerability publicly owing to an NDA (non-disclosure agreement), which everyone signed.

The vulnerability was disclosed publicly in the first week of January 2018 only because of a leak from an AMD developer. The developer pushed an update to the Linux kernel where he indirectly gave away the whole plot, so to speak. If all went according to plan, the vulnerability would not have been publicly disclosed till patches were in place to mitigate the threat. Thus, It's very unlikely that Intel can be held accountable for not disclosing the vulnerability in time.

If anything, the real legal trouble that Intel faces is with regards to insider trading. Intel CEO Brian Krzanich sold all the Intel stock that he was legally permitted to sell ($39 mn worth) in the months following the private disclosure of the leak to Intel. Intel claims that the sale was “incidental” and legal, but it’s been shown that Krzanich filed the paperwork for the stock sale after the flaw was disclosed to the company. Apparently, he has also sold about ten times the stock he normally sells every year.

As of this writing, Intel’s stock is down 2.4 percent since the disclosure.

Published Date: Jan 06, 2018 18:12 PM | Updated Date: Jan 06, 2018 18:13 PM