Here come the lawyers! Intel slapped with three Meltdown bug lawsuits

Class-actions start piling up after El Reg blows lid on CPU security cockup

Attorney Lionel Hutz

Just days after The Register revealed a serious security hole in its CPU designs, Intel is the target of three different class-action lawsuits in America.

Complaints filed in US district courts in San Francisco, CA [PDF], Eugene, OR [PDF], and Indianapolis, IN [PDF] accuse the chip kingpin of, among other things, deceptive practices, breach of implied warranty, negligence, unfair competition, and unjust enrichment.

All three lawsuits center on the kernel memory leak "feature" – dubbed Meltdown – that has been baked into Chipzilla's x86-64 microprocessors since at least 2011.

Each of the three complaints extensively references El Reg's January 2 report on the bug, which can be exploited by malware to steal passwords and other sensitive data from computers.

Arguing that Chipzilla mislead consumers by failing to disclose both the security hole itself and the potential performance hit that could result from installing patches to remedy the design blunder, the plaintiffs seek payouts citing both state and federal consumer protection and business law, including deceptive business practices and unjust enrichment.

"The defect renders the Intel x86-64x CPUs unfit for their intended use and purpose," the complaints read. "In essence, Intel x86-64x CPU owners are left with the unappealing choice of either purchasing a new processor or computer containing a CPU that does not contain the Defect, or continuing to use a computer with massive security vulnerabilities or one with significant performance degradation."

They are now seeking a trial to determine damages (or more likely a settlement deal) on behalf of a class of consumers who purchased a computer with the affected Intel CPUs in California, Oregon, and Indiana.

Intel declined to comment, citing a policy against speaking on pending litigation.

Red Hat details slowdowns, Raspberry Pi and RISC-V all clear

Elsewhere, Linux distro slinger Red Hat has confirmed that some of its enterprise users will indeed see a slowdown in their application software as a result of the mitigations it has rolled out for the CPU flaws.

Red Hat said that depending on workloads, performance will slow by up to 20 per cent, with the most vulnerable being "highly cached random memory, with buffered I/O, OLTP database workloads, and benchmarks with high kernel-to-user space transitions." Your mileage may vary.

Casual desktop users and gamers won't see much of a difference in performance with the Meltdown patches installed. Other folks may experience a five or more per cent slow down – it really depends on the processor, and how many system calls the software makes. Hammer the disk, network, or otherwise call the kernel a lot, and you'll feel the drag. Tests with database package Redis revealed a 35 per cent slowdown. Using pipelining will reduce that hit. Software can be potentially optimized to reduce any Meltdown-induced latencies.

Ultimately, you should apply Meltdown patches to avoid attack, and be prepared for any potential performance degradation.

Want a system free from the security headaches of Spectre and Meltdown? The ARM11 cores in the Raspberry Pi are immune. And RISC-V is in the clear, too. Maybe it's RISC-V's time to shine. ®

Sponsored: Minds Mastering Machines - Call for papers now open


Biting the hand that feeds IT © 1998–2018