fbpx
Print this page

Intel chip flaws leave millions of devices exposed

SECURITY RESEARCHERS HAVE raised the alarm for years about the Intel remote administration feature known as the Management Engine. The platform has a lot of useful features for IT managers, but it requires deep system access that offers a tempting target for attackers; compromising the Management Engine could lead to full control of a given computer. Now, after several research groups have uncovered ME bugs, Intel has confirmed that those worst-case fears may be possible.

On Monday, the chipmaker released a security advisory that lists new vulnerabilities in ME, as well as bugs in the remote server management tool Server Platform Services, and Intel’s hardware authentication tool Trusted Execution Engine. Intel found the vulnerabilities after conducting a security audit spurred by recent research. It has also published a Detection Tool so Windows and Linux administrators can check their systems to see if they're exposed.

Upper Management

The Management Engine is an independent subsystem that lives in a separate microprocessor on Intel chipsets; it exists to allow administrators to control devices remotely for all types of functions, from applying updates to troubleshooting. And since it has extensive access to and control over the main system processors, flaws in the ME give attackers a powerful jumping-off point. Some have even called the ME an unnecessary security hazard.

Intel specifically undertook what spokesperson Agnes Kwan called a “proactive, extensive, rigorous evaluation of the product,” in light of findings that Russian firmware researchers Maxim Goryachy and Mark Ermolov will present at Black Hat Europe next month. Their work shows an exploit that can run unsigned, unverified code on newer Intel chipsets, gaining more and more control using the ME as an unchecked launch point. The researchers also play with a sinister property of the ME: It can run even when a computer is “off” (just so long as the device is plugged in), because it is on a separate microprocessor, and essentially acts as a totally separate computer.

As with previous ME bugs, nearly every recent Intel chip is impacted, affecting servers, PCs, and IoT devices. Compounding the issue: Intel can provide updates to manufacturers, but customers need to wait for hardware companies to actually push the fixes out. Intel's maintaining a running list of available firmware updates, but so far only Lenovo has offered one up.

Intel has confirmed that those worst-case fears may be possible.

"These updates are available now," Intel said in a statement to WIRED. "Businesses, systems administrators, and system owners using computers or devices that incorporate these Intel products should check with their equipment manufacturers or vendors for updates for their systems, and apply any applicable updates as soon as possible." In many cases, it could be a while before that fix becomes available.

The newly disclosed vulnerabilities can cause instability or system crashes. They can be used to impersonate the ME, Server Platform Services, and Trusted Execution Engine to erode security verifications. And Intel says they can even be used to “load and execute arbitrary code outside the visibility of the user and operating system.” This is the crucial danger of the ME. If exploited, it can operate totally separate from the main computer, meaning that many ME attacks wouldn’t raise red flags.

Unclear Fallout

Still, the true impact of current ME vulnerability isn't clear, given the relatively limited amount of information Intel has released.

“This looks bad, but we don’t yet know how easy it will be to exploit these vulnerabilities,” says Filippo Valsorda, a cryptography engineer and researcher. “It’s a really wide range of machines that are impacted, not just servers. Intel seems worried enough to publish detection tools and do a well-orchestrated release.”

The good news is that most of the vulnerabilities require local access to exploit; someone has to have hands on a device or deep in a network. Intel does note, though, that some of the new wave of vulnerabilities can be exploited remotely if an attacker has administrative privileges. And some of the bugs also potentially allow for privilege escalation, which could make it possible to start with a standard user status and work up to higher network access.

“Based on public information, we have no real idea how serious this is yet. It could be fairly harmless, it could be a giant deal,” Matthew Garrett, a Google security researcher, wrote on Twitter when the vulnerabilities were first announced. But he quickly added that, “on reflection I don't see many outcomes where this is fairly harmless.”

It will take time for the full impact of these ME bugs to come into view, but for researchers who have warned about the dangers of ME for years, Intel's fixes now are cold comfort.

Read 7423 times

comments

  • Eric Jones
    Eric Jones 7 days ago

    Good day,

    My name is Eric and unlike a lot of emails you might get, I wanted to instead provide you with a word of encouragement – Congratulations

    What for?

    Part of my job is to check out websites and the work you’ve done with raindesigner.com definitely stands out.

    It’s clear you took building a website seriously and made a real investment of time and resources into making it top quality.

    There is, however, a catch… more accurately, a question…

    So when someone like me happens to find your site – maybe at the top of the search results (nice job BTW) or just through a random link, how do you know?

    More importantly, how do you make a connection with that person?

    Studies show that 7 out of 10 visitors don’t stick around – they’re there one second and then gone with the wind.

    Here’s a way to create INSTANT engagement that you may not have known about…

    Talk With Web Visitor is a software widget that’s works on your site, ready to capture any visitor’s Name, Email address and Phone Number. It lets you know INSTANTLY that they’re interested – so that you can talk to that lead while they’re literally checking out raindesigner.com.

    CLICK HERE https://talkwithwebvisitors.com to try out a Live Demo with Talk With Web Visitor now to see exactly how it works.

    It could be a game-changer for your business – and it gets even better… once you’ve captured their phone number, with our new SMS Text With Lead feature, you can automatically start a text (SMS) conversation – immediately (and there’s literally a 100X difference between contacting someone within 5 minutes versus 30 minutes.)

    Plus then, even if you don’t close a deal right away, you can connect later on with text messages for new offers, content links, even just follow up notes to build a relationship.

    Everything I’ve just described is simple, easy, and effective.

    CLICK HERE https://talkwithwebvisitors.com to discover what Talk With Web Visitor can do for your business.

    You could be converting up to 100X more leads today!

    Eric
    PS: Talk With Web Visitor offers a FREE 14 days trial – and it even includes International Long Distance Calling.
    You have customers waiting to talk with you right now… don’t keep them waiting.
    CLICK HERE https://talkwithwebvisitors.com to try Talk With Web Visitor now.

    If you'd like to unsubscribe click here http://talkwithwebvisitors.com/unsubscribe.aspx?d=raindesigner.com

  • SidDunty
    SidDunty 10 days ago

    modalert 200 buy modafinil

  • SidDunty
    SidDunty 10 days ago

    modafinil generic modafinil generic

  • SidDunty
    SidDunty 10 days ago

    modafinil generic modalert 200

  • SidDunty
    SidDunty 10 days ago

    buy modafinil modalert online

  • SidDunty
    SidDunty 10 days ago

    how to get modafinil prescription modafinil prescription online

  • SidDunty
    SidDunty 10 days ago

    modafinil generic modafinil prescription online

  • SidDunty
    SidDunty 10 days ago

    buy modafinil buy modalert online

  • SidDunty
    SidDunty 10 days ago

    modalert 200 modafinil prescription

  • SidDunty
    SidDunty 10 days ago

    modafinil modafinil pill

We use cookies to improve our website. By continuing to use this website, you are giving consent to cookies being used. More details…