It’s been just two days since The Register first reported that all Intel x86-64x processors were subject to a severe security vulnerability, and already Intel has been hit with at least three separate class action lawsuits related to the vulnerability.
The Register first reported the news on January 2nd, noting that the solution to fixing the vulnerability could result in slowdown of the affected computers. Intel has since claimed that any performance penalties would be negligible, and today Google, which has implemented a fix on its affected servers (which host its cloud services, including Gmail) wrote that, “On most of our workloads, including our cloud infrastructure, we see negligible impact on performance.”
Plaintiffs in three different states disagree. As Law.com first noted, a class action complaint was filed January 3rd in United States District Court for the Northern District of California. Since then Gizmodo has found two additional class action complaints filed today (just eleven minutes apart)—one in the District of Oregon and another in the Southern District of Indiana.
All three complaints cite the security vulnerability as well as Intel’s failure to disclose it in a timely fashion. They also cite the supposed slowdown of purchased processors. However that is still up for debate. In a press release today, Intel claimed it has “issued updates for the majority of processor products introduced within the past five years.” Moreover, it says the performance penalty is not as significant as The Register initially claimed.
Intel continues to believe that the performance impact of these updates is highly workload-dependent and, for the average computer user, should not be significant and will be mitigated over time. While on some discrete workloads the performance impact from the software updates may initially be higher, additional post-deployment identification, testing and improvement of the software updates should mitigate that impact.
This claim—of things not being as dire as they seemed—was seconded by Google today. In a post on its Security Blog, Google claimed “we have found that microbenchmarks can show an exaggerated impact,” which seems to suggest that localized attempts to benchmark affected processors before and after the fix has been applied may not yield reliable results.
Intel continues to claim it is not the only CPU maker affected and has posited that CPUs made by AMD, Qualcomm, and ARM (Apple uses ARM architecture in its iPhone and iPad devices) are all potentially affected.
If you’re not sure if your device has been affected, be sure to back it up and then perform all available updates.
Here are the three complaints, in full.