Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Thursday November 23 2017, @12:09PM   Printer-friendly
from the get-your-patches-here dept.

It's time to update your Management Engine:

Intel has issued a security alert that management firmware on a number of recent PC, server, and Internet-of-Things processor platforms are vulnerable to remote attack. Using the vulnerabilities, the most severe of which was uncovered by Mark Ermolov and Maxim Goryachy of Positive Technologies Research, remote attackers could launch commands on a host of Intel-based computers, including laptops and desktops shipped with Intel Core processors since 2015. They could gain access to privileged system information, and millions of computers could essentially be taken over as a result of the bug. Most of the vulnerabilities require physical access to the targeted device, but one allows remote attacks with administrative access.

The company has posted a detection tool on its support website for Windows and Linux to help identify systems that are vulnerable. In the security alert, members of Intel's security team stated that "in response to issues identified by external researchers, Intel has performed an in-depth comprehensive security review of its Intel® Management Engine (ME), Intel® Trusted Execution Engine (TXE), and Intel® Server Platform Services (SPS) with the objective of enhancing firmware resilience."

Intel® Management Engine Critical Firmware Update (Intel SA-00086)

U.S. government warns about cyber bug in Intel chips

The U.S. government on Tuesday urged businesses to act on an Intel Corp alert about security flaws in widely used computer chips as industry researchers scrambled to understand the impact of the newly disclosed vulnerability.

The Department of Homeland Security gave the guidance a day after Intel said it had identified security vulnerabilities in remote-management software known as 'Management Engine' that shipped with eight types of processors used in business computers sold by Dell Technologies, Lenovo, HP Inc, Hewlett Packard Enterprise and other manufacturers."

Security experts said that it was not clear how difficult it would be to exploit the vulnerabilities to launch attacks, though they found the disclosure troubling because the affected chips were widely used.

"These vulnerabilities affect essentially every business computer and server with an Intel processor released in the last two years," said Jay Little, a security engineer with cyber consulting firm Trail of Bits.

The official warning is here. Good luck to everybody! Good luck.

Also at Reuters and the EFF.


Original Submission #1   Original Submission #2

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 4, Insightful) by zocalo on Thursday November 23 2017, @12:57PM (3 children)

    by zocalo (302) on Thursday November 23 2017, @12:57PM (#600636)
    AMD has their own version of the IME, known as the Platform Security Processor or PSP. Just because it's not the subject of security shitstorm right now like Intel's IME doesn't mean that it doesn't have any bugs that could result in it being exploited in a similar manner at some point, and since AMD is refusing to opensource the code there's no way to judge how risky their platform is either.
    --
    UNIX? They're not even circumcised! Savages!
    Starting Score:    1  point
    Moderation   +2  
       Insightful=1, Informative=1, Total=2
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   4  
  • (Score: 2) by bzipitidoo on Thursday November 23 2017, @05:38PM (2 children)

    by bzipitidoo (4388) on Thursday November 23 2017, @05:38PM (#600727) Journal

    I'd jump from Intel to AMD in a heartbeat if they didn't build in their own backdoors. Who else makes x86 processors? Used to be Cyrix. There is Via, but like AMD, they've been spotty. Best as I can make out, Via is rolling out a new line of processors next year. Until those come out, seems Via's most recent x86 offerings were in 2011. Librecores?

    I don't see ARM as a viable desktop alternative yet. Raspberry Pis are okay but buckle under heavy loads and large display screens.

    • (Score: 0) by Anonymous Coward on Friday November 24 2017, @01:35AM

      by Anonymous Coward on Friday November 24 2017, @01:35AM (#600894)

      Who else makes x86 processors?

      No one. Your current best hope for a computer that YOU own is something made in accordance with an open hardware standard, something like what rhombus-tech [rhombus-tech.net] is doing with EOMA68.

      They're not gaming machines, npt x86, and they're not touting all the latest features. But if using a computer that is yours and not owned by many other someones is important to you, well, I don't know of any other approach to take that isn't a dead end.

    • (Score: 2, Informative) by toddestan on Friday November 24 2017, @06:00AM

      by toddestan (4982) on Friday November 24 2017, @06:00AM (#600955)

      If you're willing to look at VIA, you might also consider older x86 processors. I don't know how far you have to go back, and a bit might have to do with your level of paranoia. With Intel you could argue all the way back to the Pentium II to be safe (since the P3 introduced the unique processor serial number that could be used for tracking), but from what I can tell on the AMD side the AM3 processors such as the Phenom II predate the PSP and in theory are safe, and those are pretty capable systems for most workloads. Even if you had to go all the way to something like Socket A it would still likely be more powerful than whatever VIA is offering.