Thursday, January 18th 2018
AMD Is Served: Class Action Lawsuit Launched Over Spectre Vulnerabilities
Despite the grunt of the media's attention and overall customer rage having been thrown largely at Intel, AMD hasn't moved past the Spectre/Meltdown well, meltdown, unscathed. News has surfaced that at least two law firms have announced their intention of filing a class action lawsuit against AMD, accusing the company of not having disclosed their products' Spectre vulnerability, despite knowledge of said vulnerabilities.
AMD stated loud and clear that their processors weren't affected by the Meltdown flaw. However, regarding Spectre, AMD's terms weren't as clear cut. The company stated that its CPUs were vulnerable to the Spectre 1 flaw (patchable at a OS level), but said that vulnerability to Spectre 2's variant had "near-zero risk of exploitation". At the same time, the company also said that "GPZ Variant 2 (Branch Target Injection or Spectre) is applicable to AMD processors", adding that "While we believe that AMD's processor architectures make it difficult to exploit Variant 2, we continue to work closely with the industry on this threat.
The problem, according to the law firms, are these two disparate remarks from AMD regarding said vulnerability to Spectre 2. I'll just take it straight from the source, as Pomerantz wrote:
"In response to the Project Zero team's announcement, a spokesperson for AMD advised investors that while its own chips were vulnerable to one variant of Spectre, there was "near zero risk" that AMD chips were vulnerable to the second Spectre variant. Then, on January 11, 2018, post-market, AMD issued a press release entitled "An Update on AMD Processor Security," acknowledging that its chips were, in fact, susceptible to both variants of the Spectre security flaw."
This editor would just like to invite all readers to think this through with him - "Near Zero Risk of Exploitation Does Not Equal Zero Risk", which automatically means that AMD's processors were susceptible to both Spectre variants. At no point in time, in these statements that are being brought to the stage, did AMD say their processors weren't vulnerable.
AMD, naturally, has already responded to these lawsuit announcements, saying that these allegations are "without merit" and that it intends "to vigorously defend against these baseless claims." You can read both law firms' statements via the source links.
Sources:
Tom's Hardware, Rosen Legal Case 1269, Pomerantz Law Firm
AMD stated loud and clear that their processors weren't affected by the Meltdown flaw. However, regarding Spectre, AMD's terms weren't as clear cut. The company stated that its CPUs were vulnerable to the Spectre 1 flaw (patchable at a OS level), but said that vulnerability to Spectre 2's variant had "near-zero risk of exploitation". At the same time, the company also said that "GPZ Variant 2 (Branch Target Injection or Spectre) is applicable to AMD processors", adding that "While we believe that AMD's processor architectures make it difficult to exploit Variant 2, we continue to work closely with the industry on this threat.
"In response to the Project Zero team's announcement, a spokesperson for AMD advised investors that while its own chips were vulnerable to one variant of Spectre, there was "near zero risk" that AMD chips were vulnerable to the second Spectre variant. Then, on January 11, 2018, post-market, AMD issued a press release entitled "An Update on AMD Processor Security," acknowledging that its chips were, in fact, susceptible to both variants of the Spectre security flaw."
This editor would just like to invite all readers to think this through with him - "Near Zero Risk of Exploitation Does Not Equal Zero Risk", which automatically means that AMD's processors were susceptible to both Spectre variants. At no point in time, in these statements that are being brought to the stage, did AMD say their processors weren't vulnerable.
AMD, naturally, has already responded to these lawsuit announcements, saying that these allegations are "without merit" and that it intends "to vigorously defend against these baseless claims." You can read both law firms' statements via the source links.
56 Comments on AMD Is Served: Class Action Lawsuit Launched Over Spectre Vulnerabilities
As I said in the Intel thread, it's corporate customers running cloud computing on VMs that were severely damaged by Spectre. AMD and Intel both need to start a recall program as soon as possible to replace those chips with ones that have a silicon fix. It might be a year or two before it happens but they need to make that promise that will happen.
No, AMD and Intel are most certainly not on the same level in this case and it's misleading to suggest otherwise.
This is in contrast to Europe (and probably the rest of the world) where frivolous lawsuits are generally not allowed.
I honestly wish there were a way to disable the patch on trusted applications, but I am sure that more companies will be against it as it essentially gives access to crypto keys that are resident and could usher in a whole new piracy era.
This only effects cpu's that they KNEW of the flaw in so intel they can only go after for cpu's that were launched after.
motherboard, but Microcenter Houston had 400 ryzens in stock on launch day). 2nd, AMD always said spectre 1 was a concern, but mitigated better by the os.
Spectre 2 has NOT been demonstrated on an AMD system, still (except an AMD Pro cpu in linux with the software switches altered from the
default state on 2 commands, not realistic). That has not changed. AMD will OPTIONALLY enable two branch commands of the 4 needed by
Intel in AGESA, just in case. One of those branch commands that Intel needs does a number on older cpu performance.
To me the lawsuit is bull, AMD didn't misrepresent a thing. They were open and consistent in their messaging.
Intel's Meltdown vulnerability has already been patched. ARM and IBM are lagging behind.
AMD is out of scope... for now. ;-)