Security News > 2023 > November > Downfall fallout: Intel knew AVX chips were insecure and did nothing, lawsuit claims
Intel has been sued by a handful of PC buyers who claim the x86 goliath failed to act when informed five years ago about faulty chip instructions that allowed the recent Downfall vulnerability, and during that period sold billions of insecure chips.
The lawsuit [PDF], filed on behalf of five plaintiffs in a US federal court in San Jose, California, claims Intel knew about the susceptibility of its AVX instruction set to side-channel attacks since 2018, but didn't fix the defect until the disclosure of the Downfall hole this year, leaving affected computer buyers with no other option than to apply a patch that slows performance by as much as 50 percent.
The complaint says that in the summer of 2018, when Intel was dealing with Spectre and Meltdown, the manufacturer received two separate vulnerability reports from third-party researchers that warned that the microprocessor titan's Advanced Vector Extensions instruction set - which allows Intel CPU cores to perform operations on multiple pieces of data simultaneously, improving performance - was vulnerable to the same class of side-channel attack as those other two serious flaws.
"Despite promising a hardware redesign to mitigate speculative execution vulnerabilities during the exact time period researchers disclosed the vulnerabilities in Intel's AVX instructions, Intel did nothing," the complaint says.
"It did not fix its then-current chips, and over three successive generations, Intel did not redesign its chips to ensure that AVX instructions would operate securely when the CPU speculatively executed them."
"These secret buffers, coupled with side effects left in CPU cache, opened what was tantamount to a backdoor in Intel's CPUs, allowing an attacker to use AVX instructions to easily obtain sensitive information from memory -including encryption keys used for Advanced Encryption Standard encryption - by exploiting the very design flaw that Intel had supposedly fixed after Spectre and Meltdown."
News URL
https://go.theregister.com/feed/www.theregister.com/2023/11/09/intel_downfall_lawsuit/