AMD, Apple Sued Over CPU Vulnerabilities
Apple and Advanced Micro Devices (AMD) are also facing class action lawsuits following the disclosure of critical CPU vulnerabilities that affect billions of devices. The Meltdown and Spectre attack methods, which rely on vulnerabilities that have been around for roughly two decades, allow malicious applications to bypass memory isolation mechanisms and access passwords, photos, documents, emails, and other sensitive data. Attacks can be launched against systems using processors from Intel, AMD, ARM, and others.
Intel was hit the hardest - a majority of its processors are affected and they are the most likely to be targeted in attacks - so it came as no surprise when several class action lawsuits were filed against the company. However, lawsuits were also filed recently against AMD and Apple. In the case of AMD, the lawsuits focus on the fact that, shortly after the existence of Meltdown and Spectre came to light, the company claimed that the risk of attacks against its customers was "near zero" due to the architecture of its processors.
The company later admitted that the two vulnerabilities that allow Spectre attacks do affect its CPUs. Lawsuits announced by law firms Pomerantz and Rosen allege that AMD "made materially false and/or misleading statements and/or failed to disclose that: (1) a fundamental security flaw in Advanced Micro's processor chips renders them susceptible to hacking; and (2) as a result, Advanced Micro's public statements were materially false and misleading at all relevant times." The value of AMD shares went up after the company claimed that its products were not affected, but fell by £0.12, or nearly 1%, after the company confirmed on January 11 that its CPUs are in fact vulnerable to Spectre attacks.
Anyone who purchased AMD shares between February 21, 2017, when the company filed an annual report with the SEC, and January 11, 2018, can join the lawsuits. The complaints point to several SEC filings from this period that allegedly led to AMD shares being artificially and falsely inflated. Plaintiffs claim they would not have acquired AMD stock at prices inflated by misleading statements and withholding information about the vulnerabilities.
Google informed vendors of the flaws in June and July 2017. In the case of Apple, whose processors rely on ARM technology, the complaint says "all Apple processors are defective because they were designed by Defendant Apple in a way that allows hackers and malicious programs potential access to highly secure information stored on iDevices." Plaintiffs claim Apple had known about the flaws for a long time, but did not take action until recently.
The complaint, filed on January 8, said Apple had not provided any mitigations against Spectre attacks, but the tech giant did release software updates on the same day. The complaint claims plaintiffs would not have purchased Apple devices or they would not have paid the price they paid had they known about the vulnerabilities. Related: Intel Tests Performance Impact of CPU Patches on Data Centers
- ^ Meltdown and Spectre (www.securityweek.com)
- ^ class action lawsuits (www.securityweek.com)
- ^ admitted (www.securityweek.com)
- ^ Pomerantz (pomerantzlawfirm.com)
- ^ Rosen (finance.yahoo.com)
- ^ complaint (www.courthousenews.com)
- ^ software updates (www.securityweek.com)
- ^ Intel Tests Performance Impact of CPU Patches on Data Centers (www.securityweek.com)
- ^ Fake Meltdown/Spectre Patch Installs Malware (www.securityweek.com)
- ^ Oracle Fixes Spectre, Meltdown Flaws With Critical Patch Update (www.securityweek.com)