Enlarge/ An Intel CPU.Mark Walton

Three class action complaints have been filed against Intel over the Meltdown and Spectre CPU security flaws that were discovered by researchers earlier this year and widely publicized earlier this week.

The three lawsuits—filed in California, Indiana, and Oregon (PDF)—cite not just the security vulnerabilities and their potential impact, but also Intel's response time to them. Researchers notified Intel about the flaws in June. Now, Intel faces a big headache. The vast majority of its CPUs in use today are impacted, and more class action complaints may be filed beyond these three.

The three complaints also cite suggestions that devices using Intel's CPUs will see significant slowdown as a result of addressing the security flaws. However, that point is in some dispute. In the course of its various public efforts to mitigate damage and address concerns, Intel has publicly said in a statement that these concerns are overblown:

Intel has begun providing software and firmware updates to mitigate these exploits. Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time.

Google, whose Project Zero team was involved in the initial discovery of the vulnerabilities, seemed to support Intel's claim when it wrote in its security blog about performance on its devices:

There has been speculation that the deployment of KPTI causes significant performance slowdowns. Performance can vary, as the impact of the KPTI mitigations depends on the rate of system calls made by an application. On most of our workloads, including our cloud infrastructure, we see negligible impact on performance. In our own testing, we have found that microbenchmarks can show an exaggerated impact. Of course, Google recommends thorough testing in your environment before deployment; we cannot guarantee any particular performance or operational impact.

Either way, the costs for Intel after Meltdown and Spectre could be significant. The Guardian consulted sources such as Fort Pitt Capital Group analyst Kim Forrest to paint a picture of what Intel faces. Regardless of the outcome of these class action suits, the paper writes that Intel will likely find itself in a poor bargaining position with its cloud customers and other enterprise partners and that it will likely have to spend more heavily on security in the future.

Original Article

[contf] [contfnew]

Ars Technica

[contfnewc] [contfnewc]