Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Intel Sued Over ‘Downfall’ CPU Vulnerability 

A class action lawsuit has been filed against Intel over its handling of CPU speculative execution vulnerabilities, with a focus on Downfall.

Reptar Intel CPU vulnerability

A class action lawsuit has been filed against Intel over its handling of speculative execution vulnerabilities found in its CPUs, particularly the recently disclosed attack method named Downfall. 

A 112-page class action complaint was filed this week by plaintiffs represented by Bathaee Dunne. News of a Bathaee Dunne-led lawsuit against Intel over the Downfall vulnerability emerged in late August, when the law firm announced that it was preparing to file a complaint.

The plaintiffs say the Intel CPUs they have purchased are “defective” because they are either left vulnerable to cyberattacks or they have significantly slower performance due to the vulnerability fixes made available by the chip giant.

The complaint says Intel has known about speculative execution vulnerabilities in its processors since 2018, when cybersecurity researchers disclosed the existence of two attack methods named Meltdown and Spectre. 

These types of attacks typically allow an attacker who has access to the targeted system — and in some cases remotely — to bypass security protections and obtain sensitive information such as passwords and encryption keys from memory. However, conducting an attack is often not an easy task and there are no public reports about such flaws being exploited in the wild. 

Following the disclosure of Meltdown and Spectre, Intel has been informed about several other speculative execution vulnerabilities and the company has been taking steps to address them. 

However, customers are displeased with the fact that fixes for these issues introduce significant performance degradation and accuse Intel of selling CPUs that it knew were flawed over the course of several years. 

In the case of the Downfall attack, which a Google researcher disclosed in August after giving Intel more than a year to take action, has been described as highly practical, with a PoC exploit showing how it can be leveraged to steal OpenSSL encryption keys. 

Advertisement. Scroll to continue reading.

“When the Downfall vulnerability became public, Intel issued a microcode update, which supposedly mitigated the Downfall vulnerability. In reality, Intel’s ‘mitigation’ had handicapped the very systems, namely speculative execution and branch prediction, that are central to the function of every modern CPU, resulting in as much as a 50% performance degradation in affected CPUs,” the complaint reads.

The complaint shows exactly how much the value of an impacted Intel CPU has decreased due to the performance degradation.

The plaintiffs “seek monetary relief against Intel measured as the greater of (a) actual damages in an amount to be determined at trial or (b) statutory damages in the amount of $10,000 for each plaintiff.”

SecurityWeek has reached out to Intel for comment and will update this article if the company responds.

Related: Companies Respond to ‘Downfall’ Intel CPU Vulnerability 

Related: Software Vendors Start Patching Retbleed CPU Vulnerabilities

Related: Intel Introduces Protection Against Physical Fault Injection Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.

Register

As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.

Register

Expert Insights

Related Content

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Endpoint Security

Gigabyte has announced BIOS updates that remove a recently identified backdoor feature in hundreds of its motherboards.

Endpoint Security

Several major companies have published advisories in response to the Downfall vulnerability affecting Intel CPUs.

CISO Strategy

Varied viewpoints as related security concepts take on similar traits create substantial confusion among security teams trying to evaluate and purchase security technologies.

Endpoint Security

The Zero Day Dilemma

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Endpoint Security

When establishing visibility and security controls across endpoints, security professionals need to understand that each endpoint bears some or all responsibility for its own...