AMD Is Served: Class Action Lawsuit Launched Over Spectre Vulnerabilities

[Raevenlord]

Despite the grunt of the media's attention and overall customer rage having been thrown largely at Intel, AMD hasn't moved past the Spectre/Meltdown well, meltdown, unscathed. News has surfaced that at least two law firms have announced their intention of filing a class action lawsuit against AMD, accusing the company of not having disclosed their products' Spectre vulnerability, despite knowledge of said vulnerabilities.

AMD stated loud and clear that their processors weren't affected by the Meltdown flaw. However, regarding Spectre, AMD's terms weren't as clear cut. The company stated that its CPUs were vulnerable to the Spectre 1 flaw (patchable at a OS level), but said that vulnerability to Spectre 2's variant had "near-zero risk of exploitation". At the same time, the company also said that "GPZ Variant 2 (Branch Target Injection or Spectre) is applicable to AMD processors", adding that "While we believe that AMD's processor architectures make it difficult to exploit Variant 2, we continue to work closely with the industry on this threat.





The problem, according to the law firms, are these two disparate remarks from AMD regarding said vulnerability to Spectre 2. I'll just take it straight from the source, as Pomerantz wrote:

"In response to the Project Zero team's announcement, a spokesperson for AMD advised investors that while its own chips were vulnerable to one variant of Spectre, there was "near zero risk" that AMD chips were vulnerable to the second Spectre variant. Then, on January 11, 2018, post-market, AMD issued a press release entitled "An Update on AMD Processor Security," acknowledging that its chips were, in fact, susceptible to both variants of the Spectre security flaw."

This editor would just like to invite all readers to think this through with him - "Near Zero Risk of Exploitation Does Not Equal Zero Risk", which automatically means that AMD's processors were susceptible to both Spectre variants. At no point in time, in these statements that are being brought to the stage, did AMD say their processors weren't vulnerable.

AMD, naturally, has already responded to these lawsuit announcements, saying that these allegations are "without merit" and that it intends "to vigorously defend against these baseless claims." You can read both law firms' statements via the source links.

View at TechPowerUp Main Site

 

[Patriot]

So... I see AMD lists 3 Variants and others only list 2...

 

[qubit]

Some lawyer is on a get rich quick scheme here. I'm with AMD that there's no merit to this idiotic lawsuit for the reasons you've stated, @Raevenlord

 

[dicktracy]

Yes. Lisa Su lied.

 

[R-T-B]

Yes. Lisa Su lied.

When exactly?

 

[qubit]

When exactly?

@Raevenlord lied.

 

[FordGT90Concept]

They can make a case for Threadripper and Raven Ridge. In the case of Raven Ridge, the damages are minimal because there's not much exposure to VMs. Any claims against that will likely be thrown out. Threadripper though, AMD could be in as much trouble as Intel. They knew about the problem but said absolutely nothing about it and launched the product anyway. They are processors aimed at running VMs.

As I said in the Intel thread, it's corporate customers running cloud computing on VMs that were severely damaged by Spectre. AMD and Intel both need to start a recall program as soon as possible to replace those chips with ones that have a silicon fix. It might be a year or two before it happens but they need to make that promise that will happen.

 

[evernessince]

They can make a case for Threadripper and Raven Ridge. In the case of Raven Ridge, the damages are minimal because there's not much exposure to VMs. Any claims against that will likely be thrown out. Threadripper though, AMD could be in as much trouble as Intel. They knew about the problem but said absolutely nothing about it and launched the product anyway. They are processors aimed at running VMs.

As I said in the Intel thread, it's corporate customers running cloud computing on VMs that were severely damaged by Spectre. AMD and Intel both need to start a recall program as soon as possible to replace those chips with ones that have a silicon fix. It might be a year or two before it happens but they need to make that promise that will happen.

Hm, how does AMD get in as much trouble as Intel when Intel has 99% of the server market? Answer: It doesn't. Second, AMD's disclosure and Intel's disclosure are Apples to Oranges. At best AMD had a slip of the tongue. Intel on the other hand engaged in insider trading and willingly withheld this information during the holiday season to sell processors.

No, AMD and Intel are most certainly not on the same level in this case and it's misleading to suggest otherwise.

 

[bug]

I believe a lot of people will miss out one important aspect: in US, you can file a suit on just about any grounds. But it doesn't mean it will automatically go to trial. A judge can dismiss it before it comes to that, it they're not convinced there's any merit to it.
This is in contrast to Europe (and probably the rest of the world) where frivolous lawsuits are generally not allowed.

 

[Steevo]

They can make a case for Threadripper and Raven Ridge. In the case of Raven Ridge, the damages are minimal because there's not much exposure to VMs. Any claims against that will likely be thrown out. Threadripper though, AMD could be in as much trouble as Intel. They knew about the problem but said absolutely nothing about it and launched the product anyway. They are processors aimed at running VMs.

As I said in the Intel thread, it's corporate customers running cloud computing on VMs that were severely damaged by Spectre. AMD and Intel both need to start a recall program as soon as possible to replace those chips with ones that have a silicon fix. It might be a year or two before it happens but they need to make that promise that will happen.

Spectre doesn't need a VM, its literally the performance enhancing ability of prefetch in hardware & software, now instead of treating applications as "trusted" all precaching and predictive ability needs to be checked against the threads allocated memory space, meaning less performance, but no chance that a program can read the cache or other data out of the "bounds" of its own memory space.


I honestly wish there were a way to disable the patch on trusted applications, but I am sure that more companies will be against it as it essentially gives access to crypto keys that are resident and could usher in a whole new piracy era.

 

[lexluthermiester]

Some lawyer is on a get rich quick scheme here. I'm with AMD that there's no merit to this idiotic lawsuit for the reasons you've stated, @Raevenlord

Totally correct. Everyone who manufactures CPU's was notified using known good practices. Everyone got the same heads-up and everyone got the same amount of time to work the problem. This case, if it actually sees time in court, will fall to dust as it is, as AMD rightly said, without merit. To that I will add, laughable.

whole new piracy era

Piracy is a "red herring" that everyone cries when their creations don't sell well.

 

[I No]

Oh boy... here we go again ... Another get rich quick ... i mean .... "class action suit"

 

[mcraygsx]

Where is the lawsuit against INTEL who has done most damage. I suppose it is easier to step over little folks.

 

[FordGT90Concept]

Hm, how does AMD get in as much trouble as Intel when Intel has 99% of the server market? Answer: It doesn't.

That's irrelevant in terms of legal recourse. It just means Intel is going to have larger damages.

Intel on the other hand engaged in insider trading and willingly withheld this information during the holiday season to sell processors.

Individuals did and that's a separate matter for the SEC to investigate and prosecute.

 

[R-T-B]

Where is the lawsuit against INTEL who has done most damage. I suppose it is easier to step over little folks.

A few newsthreads back?

 

[AsRock]

Some lawyer is on a get rich quick scheme here. I'm with AMD that there's no merit to this idiotic lawsuit for the reasons you've stated, @Raevenlord

I hope a bunch have the balls to take Intel to the cleaners as they clearly knew the problem.

 

[Melvis]

These law suits will just get thrown out of court or appealed then lost, its not like AMD has a hardware flaw like Intel CPU's have that can never be fixed.

 

[arbiter]

Totally correct. Everyone who manufactures CPU's was notified using known good practices. Everyone got the same heads-up and everyone got the same amount of time to work the problem. This case, if it actually sees time in court, will fall to dust as it is, as AMD rightly said, without merit. To that I will add, laughable.

Piracy is a "red herring" that everyone cries when their creations don't sell well.

Well Since AMD knew of the flaw before they put their Ryzen cpu's on sale they are in same boat as they can claim against intel. If people claim intel should halted release of their cpu so should have AMD when hearing of said problem as they cpu's yes were launched but it was paper launch and not launched as on sale that you could get it.

This only effects cpu's that they KNEW of the flaw in so intel they can only go after for cpu's that were launched after.

 

[SRB151]

Well Since AMD knew of the flaw before they put their Ryzen cpu's on sale they are in same boat as they can claim against intel. If people claim intel should halted release of their cpu so should have AMD when hearing of said problem as they cpu's yes were launched but it was paper launch and not launched as on sale that you could get it.

This only effects cpu's that they KNEW of the flaw in so intel they can only go after for cpu's that were launched after.

Um, Ryzen launched in March. Long before this came to light. Not a paper launch, as I bought one then. (it was hell finding a
motherboard, but Microcenter Houston had 400 ryzens in stock on launch day). 2nd, AMD always said spectre 1 was a concern, but mitigated better by the os.
Spectre 2 has NOT been demonstrated on an AMD system, still (except an AMD Pro cpu in linux with the software switches altered from the
default state on 2 commands, not realistic). That has not changed. AMD will OPTIONALLY enable two branch commands of the 4 needed by
Intel in AGESA, just in case. One of those branch commands that Intel needs does a number on older cpu performance.

 

[Mistral]

Well Since AMD knew of the flaw before they put their Ryzen cpu's on sale they are in same boat as they can claim against intel

Not accurate at all. Ryzen was released before Google reported the flow, while Intel released their "8th gen" after and fully knowing. Also, the level of vulnerability is quite different.

To me the lawsuit is bull, AMD didn't misrepresent a thing. They were open and consistent in their messaging.

 

[notb]

Not accurate at all. Ryzen was released before Google reported the flow, while Intel released their "8th gen" after and fully knowing. Also, the level of vulnerability is quite different.

No. Most of lineup (EPYC, APU, Ryzen 3 and 5) was released after the note from Project Zero.

These law suits will just get thrown out of court or appealed then lost, its not like AMD has a hardware flaw like Intel CPU's have that can never be fixed.

You don't know much about this issue, do you?
Intel's Meltdown vulnerability has already been patched. ARM and IBM are lagging behind.
AMD is out of scope... for now. ;-)

 

[Melvis]

You don't know much about this issue, do you?
Intel's Meltdown vulnerability has already been patched. ARM and IBM are lagging behind.
AMD is out of scope... for now. ;-)

Ummm you just said it yourself, "patched" but not fixed as its a hardware lvl problem which can never be fixed. Maybe you dont know much about the issue?

 

[eidairaman1]

Too bad we cant write these schmucks for being utter fools

 

[lexluthermiester]

These law suits will just get thrown out of court or appealed then lost

Very likely.

its not like AMD has a hardware vulnerability like Intel CPU's have that can never be fixed.

Corrected, and they do, just not the same ones. And it was pure luck that AMD chose to perform those functions differently than Intel otherwise their CPU's would be very much vulnerable in the same ways.

 

[Aquinus]

no chance that a program can read the cache or other data out of the "bounds" of its own memory space.

That's 100% not true. Variant two describes how a guest VM can read the host's kernel memory. This one in particular is the one that cloud service providers needed to be worried about.

Variant 2: Branch target injection
This section describes the theory behind our PoC for variant 2 that, when running with root privileges inside a KVM guest created using virt-manager on the Intel Haswell Xeon CPU, with a specific version of Debian's distro kernel running on the host, can read host kernel memory at a rate of around 1500 bytes/second.

https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html

AMD and Intel both need to start a recall program as soon as possible to replace those chips with ones that have a silicon fix. It might be a year or two before it happens but they need to make that promise that will happen.

Why? The bug is patchable and replacing every CPU impacted by this would take more than a couple years and an enormous amount of money on Intel's part (if you consider that this would mean practically every single CPU in Google and Amazon's data centers,) I would expect them to fight tool and nail, even in collaboration with AMD, to prevent that from happening. Rightfully so though. When a car has a recall, they fix the problem, they don't typically replace the car and patching this fixes the problem.