The last year has not been Intel's best from a PC security perspective. Positive Technologies recently announced that PCs built with Intel processors going back to 2015's Skylake chips could be exploited through the computers' USB ports thanks to vulnerabilities in the CPUs' Minix-based Management Engine (ME) subsystem. The blue silicon giant has now acknowledged the problems and announced the availability of patches for motherboard and system makers to integrate into future BIOS updates.
Intel's statement indicates that "an attacker could gain unauthorized access to platform, [the] Intel ME feature, and third-party secrets protected by the Intel Management Engine, Intel Server Platform Service (SPS), or Intel Trusted Execution Engine (TXE)." That access could let an attacker "load and execute arbitrary code outside the visibility of the user and operating system," impersonate the ME, SPS or TXE to gain access to user data, or simply crash a system.
The company says it has reviewed and updated its Management Engine (versions 11.0 to 11.20), Server Platform Services (SPS) version 4.0, and Trusted Execution Engine version 3.0 in order to improve "firmware resilience." The list of affected products includes:
End users will have to wait for motherboard and system makers to integrate Intel's updates into BIOS updates in order to protect their machines. Gigabyte has announced that it has begun the work of updating its motherboard BIOS software, starting with its Z370 and Z270 boards. We expect that updates from ASRock, Asus, MSI, and others will come shortly. Intel's statement on the matter has more specific information about the nature of the security flaws. The company has a tool for Windows and Linux for users to determine if their system is vulnerable to these attacks.
This isn't the first time Intel's platform management features have given it headaches this year. Flaws in the company's Active Management Technology suite were discovered back in May. Security-focused laptop maker Purism eventually gained attention by offering its Librem series of laptops with Intel's Management Engine firmware disabled. A short time later, Google announced that it would also disable ME on its servers in an effort to prevent hackers from exploiting any flaws in the ME firmware.
|Aerocool's Project 7 P7-C1 Pro case reviewed||6|
|Google Project Tango is dead—long live ARCore||6|
|Thermaltake Sync box bridges RGB LED walled gardens||3|
|Intel tips off potential 960 GB and 1.5 TB Optane SSD 900Ps||6|
|Sapphire Nitro+ Radeon RX Vegas put a big chill on spicy-hot chips||17|
|Antec P110 Silent touts quiet looks and quiet operation||11|
|Updated LG Gram laptops put heavy-duty power into feathery bodies||16|
|Monkey Day Shortbread||14|
|Thursday deals: a nice Z370 mobo, a huge VA display, and more||6|