Class-action lawsuits pile up as Intel faces Meltdown-Spectre aftermath
Intel’s annus horribilis continues with news of an impressive 32 class-action lawsuits filed against the company in response to the Meltdown-Spectre security vulnerabilities. What does this mean for developers?
There’s not a lot of good news this week for Intel. Intel Corp has reported that it is facing 32 individual class-action lawsuits after it was made public that millions of processor chips were vulnerable to the Meltdown and Spectre security flaws.
Slipped in the middle of the company’s annual 10-K financial filings to the US Securities and Exchange Commission (SEC), Intel reported that thirty customer class action lawsuits and two securities class action lawsuits have been filed as of February 15th, 2018. All of these lawsuits relate to the recently exposed security flaws dubbed Meltdown and Spectre.
Intel faces Meltdown-Spectre aftermath
In essence, both Spectre and Meltdown are security flaws on the chip-level that allow sensitive inside computer systems to be exposed. Basically, it’s a fundamental problem with the chip’s architecture. These bugs are present in all modern Intel processors produced in the past decade.
Although Google reportedly informed Intel about the Spectre security flaw in June 2017 and the Meltdown flaw in July 2017, the story wasn’t public until the Register broke the news in January of this year.
The thirty customer class action cases were filed by consumers who claim to have been harmed by Intel’s actions and/or omissions in connection with the security vulnerabilities. Not surprising, considering that these security flaws have been around for over a decade and the software updates meant to protect PCs haven’t had the best performance reports.
Additionally, the two securities class action lawsuits allege that Intel and certain officers violated securities laws by making false statements about Intel’s products and internal controls. These two cases were brought by investors who acquired stock between July 27, 2017 and January 4, 2018, the time period when Intel knew about Meltdown and Spectre, but had not made the flaws public.
And Intel’s law troubles are hardly over. The CEO of Intel, Brian Krzanich, sold 889,879 shares in the company on November 29, making roughly $39 million from the sale. This was well before the flaws were known to the public, raising questions of whether this qualifies as insider trading.
Realistically, these 32 lawsuits are likely the tip of the iceberg. Since these lawsuits are still in the early stages, Intel claims that there is no way they can begin to estimate the damages from these suits. In any case, the clean up is likely to be pricey.
What does this mean for developers?
Well, first off, all computers have been affected by this security flaw. (Unless you’re running solely on a Raspberry Pi, that is.) While Meltdown can be fixed with an imperfect software patch, Spectre is here to stay, as it is literally a part of the chip’s architecture. No one is putting anything down in stone for when that might be fixed, but the best guess is probably sometime in 2021. So, we’re going to be living with this for some time.
In the meanwhile, various patches and updates are being released, including an emergency Windows update that fixed Intel’s dodgy Spectre fix. However, if you’re in the mood for bug hunting, Intel has extended its bug bounty program. Bounties are up across the board and any discloses made could net white hat hackers up to $250,000.