Intel Sued Over Major Computer Security Flaws

SAN JOSE, Calif. (CN) – Computer chipmaker Intel faces a major class action filed Wednesday night in what could be the opening salvo in a flood of litigation over two recently discovered security flaws that make most of the world’s computers vulnerable to hacking.

The security flaws, called Meltdown and Spectre, enable hackers to swipe data from personal computers, mobile devices and servers, including those that connect to cloud computing networks.

Microsoft Windows on Tuesday unveiled a security patch for the Meltdown flaw, which affects nearly all Intel microprocessors that make up more than 90 percent of computer servers.

The Meltdown flaw could enable hackers to bypass the barrier between applications and hardware to access a computer’s core memory and steal private information like passwords through cloud computing services.

According to a federal lawsuit filed Wednesday night, fixes offered by operating systems like Windows and Linux will “dramatically reduce the performance” of computers.

“Intel has failed to cure the defect or replace plaintiffs’ Intel CPUs with nondefective CPUs and offer full compensation required under federal and state law,” the 26-page complaint states.

The Meltdown fix could slow computers down by as much as 30 percent, according to recent cyber security reports.

The Register, a Britain-based science and technology news website, first broke news of the recently discovered security flaws on Tuesday. The leak of information forced operating systems like Windows to release fixes for the bug earlier than expected. Major cloud computer services run by Amazon, Google, and Microsoft say they updated their systems to prevent hackers from exploiting the flaw.

Another security flaw, dubbed Spectre, affects computer chips made by multiple vendors, and there is no known software fix for the vulnerability, according to computer security experts.

“Hardware vendors will address the underlying design issue, though vulnerable systems will likely remain in operation for decades,” said Bryce Boland, a regional chief technology officer for the Milpitas, California-based cyber security firm FireEye.

These flaws are precisely the types of vulnerabilities that nation-state hackers use to develop new attack tools, Boland added.

Both Spectre and Meltdown exploit a vulnerability in a computing operation called speculative execution. Speculative execution occurs when the computer “guesses” the next piece of data a user will access based on former actions and makes that data available in the kernel, a layer of computer memory that sits between the operating system and hardware.

To eliminate the vulnerability, any software fix must also eliminate the speculative execution that makes computers run faster, explained Tony Cole, vice president and chief technology officer for FireEye.

“By putting the patch in place and eliminating that speculating, we are eliminating the speed of the processor as well,” Cole said.

Cole stressed this vulnerability is not a bug that can be easily fixed.

“It’s not a bug. It’s just the way the architecture is designed is vulnerable,” Cole said. “There’s enough information out there that I’m sure there are hackers today trying to create exploit code.”

To avoid the risk of hacking, Cole recommends consumers continuously update the operating systems and download security patches for their mobile phones, tablets and computers.

The lawsuit filed Wednesday specifically pertains to Intel’s x86-64x computers, which have been manufactured since at least 2008. The lead plaintiffs, Steven Garcia and Anthony Stachowiak, say Intel has failed to replace the defective computers or provide a solution that will not weaken the performance of computers.

Intel responded to reports of the security flaws in a press release on Jan. 3.

“Contrary to some reports, any performance impacts are workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time,” Intel stated in its announcement.

The plaintiffs seek monetary damages on claims of product liability, negligence, unfair business practices and unjust enrichment. They are represented by William J. Doyle II of San Diego.

 

%d bloggers like this: