Intel may soon find itself with its back against a proverbial wall following the disclosure of the "Downfall" chip vulnerability earlier this month. According to a class action aggregator, there's now an open interest in pursuing a lawsuit against Intel for damages relating to the Downfall vulnerability. That isn't surprising, given that fixing the bug can result in up to 39% less performance in some workloads and impacts what could number in the billions of processors. Called by law firm Bathaee Dunne LLP, the class action investigation (which is still garnering interest, plaintiffs, and information) aims to force Intel to compensate customers for "the loss of value, reduced performance, security issues and other damages stemming from the Downfall vulnerability."
Intel's Downfall is another high-impact, difficult-to-mitigate vulnerability that attacks speculative execution — a feature of modern CPUs that aims to predict what data and/or operations will be necessary for a workload to be completed before the information is even required. Speculative execution thus aims to keep that information readied and easily accessible for processing. Still, as the amount of vulnerabilities in speculative execution scenarios increases, we've also seen a trend where fixing these issues has a correspondingly negative impact on performance. For now, it appears Intel's mitigations for Downfall have an average performance cost around the 39% mark.
Intel itself said performance could decline by as much as 50% in certain scenarios, showcasing just how important speculative execution is for a modern CPU's performance. Considering how the vulnerability affects Intel processors ranging from 6th-gen (Skylake) to 11th-gen (Rocket Lake), including Xeon products based on the same architectures, the amount of affected Intel CPUs will likely be in the billions.
The argument for the class action lawsuit stems from the fact that affected users (like Intel) are left between a rock and a hard place: They paid 100% of a CPU's cost (which, in Intel's lineup, translates into an expected performance). But now, users have to choose between leaving their systems vulnerable to the Downfall speculative execution attack (not good) or taking a substantial hit to performance on workloads that matter to them (not great, either).
But in this case, keeping the vulnerability unaddressed could have a real impact on businesses and users. According to security researcher Danial Moghimi (who initially disclosed Downfall), the vulnerability would allow malicious third-party apps and services to steal sensitive information, including passwords, financial details, and even cloud-stored data.
Considering how AMD also has had its fair share of vulnerabilities (such as Inception, Squip, and its recent "Divide by zero" bug), it remains to be seen whether something similar will be aiming for the red team's bottom line as well.
