SoylentNews is people
SoylentNews is powered by your submissions, so send in your scoop. Only 17 submissions in the queue.
SoylentNews
Not that anyone is surprised or even cares but two more severe bugs have been found in the Intel Management Engine firmware. They allow remote execution with full privileges:
https://nvd.nist.gov/vuln/detail/CVE-2018-3627
https://nvd.nist.gov/vuln/detail/CVE-2018-3628
An article about these vulnerabilities on Tech Republic provides summaries and lists the affected processors.
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
It's not reality that's important, but how you perceive things.
(Score: 0) by Anonymous Coward on Tuesday July 31 2018, @10:22AM (16 children)
The important thing isnt really the existence of the bugs, but the performance impact of patching them. How much slower is a fully patched computer with an intel cpu today than a year ago?
(Score: 1, Informative) by Anonymous Coward on Tuesday July 31 2018, @10:30AM
Those concerns are apt for Meltdown and Spectre related bugs. But this is the separate IME, which is Intel's bug-riddled
spyingmonitoring system.(Score: 5, Informative) by fraxinus-tree on Tuesday July 31 2018, @10:31AM (13 children)
Patching Intel ME bugs is not related to performance.
(Score: 0) by Anonymous Coward on Tuesday July 31 2018, @11:14AM (12 children)
Then is this really a big deal, I mean other than intel forcing an unecessary feature upon their customers?
(Score: 2) by MichaelDavidCrawford on Tuesday July 31 2018, @11:17AM (9 children)
Other people such as the Sicilian Mafia, the Russian Mob, the Japanese Mafia, the Chinese Tong or the Occasional Nigerian Sole Proprietor [warplife.com].
Have A Nice Day! 3 :-D 3
Yes I Have No Bananas. [gofundme.com]
(Score: 5, Interesting) by bzipitidoo on Tuesday July 31 2018, @12:39PM (8 children)
Got to use a car analogy here.
Tell me, is it a big deal if it's your car on which someone else could Manage your Engine? Suppose it could take over the controls at any time and drive your car with you and yours in it to any destination they like. Maybe to the nearest police station, after informing the cops that you have illegal drugs in your car?
And further, suppose it has severe bugs, which allow hackers to remotely access it at will, and also which might cause it to drive your car off the side of the nearest high bridge, or cross the median and crash you into oncoming traffic?
Now, imagine these puppies at the heart of medical devices vital to your continued good health. Yeah, that Management Engine is looking real scary stoopid now. Worse than Spectre, which after all can only be used to access data it shouldn't be able to access. Obviously Intel did not bother to formally verify the ME's functionality, or it wouldn't have these bugs.
(Score: 5, Informative) by requerdanos on Tuesday July 31 2018, @01:00PM (6 children)
I am pretty sure this goes by the name brand "OnStar" (and as an additional feature also tracks your every movement for the benefit of law enforcement and intelligence agencies) and, while malevolent*, is considered by the majority of the car-buying public as no big deal at all--a desirable feature in fact.
Don't get me wrong, the non-optional forced-on-you "management engines" are evil agents of disaster and should be eradicated; they are a big deal.
But we who think so are the frogs who think the water seems to be getting warmer here in the kettle, and are crying "the water is going to boil!" to the vast majority of other seasoned and tenderized frogs who hear us and mutter "alarmist idiots."
-----
* I get regular e-mails from OnStar with things like "only xxx miles until your next scheduled oil change" and "your tire pressure is low" for a "Chevrolet Silverado" belonging to someone who gave the dealer my e-mail address instead of theirs [xkcd.com]. I've contacted OnStar and told them (they won't make changes on the account unless I give them personal information identifying the specific vehicle or account holder), I've contacted the dealer listed at the bottom of the e-mails (they say contact OnStar), no dice. OnStar does not care about your privacy, as part of their very nature, but I've learned they don't even care about appearing to care. Maybe one day I'll just mail all the reports to the owner of the vehicle telling them how I notified OnStar and the dealership about their personal information going to a stranger, with copies to news agencies. Or maybe not. What does Soylent think?
(Score: 4, Informative) by The Mighty Buzzard on Tuesday July 31 2018, @01:04PM
Is this even a question? Sounds like fun for the whole family.
My rights don't end where your fear begins.
(Score: 2) by MichaelDavidCrawford on Tuesday July 31 2018, @01:38PM (3 children)
It happens that my own email is mdcrawford@gmail.com.
Most serious is that Dr. Crawford of I think Sydney Australia doesn't get the email that informs his hospital's staff that a particularly sick patient has arrived and is waiting for Dr. Crawford to transplant one of their organs.
Most absurd is that I looked up some other m.d. crawford's phone number in _my_ profile in Bing Webmaster tools then rang him up to point out that he's been giving out my email address and not his own correct one.
And yes he really _did_ ask "How did you get my number?".
He wasn't trying to use Bing Webmaster Tools, he was trying to get a job at Microsoft.
It happens that a certain Marion Crawford of New Orleans, Louisiana was looking for auto mechanic work for quite a long time. I don't know whether his time of unemployment led him to take his own life or whether he finally clued in to the right email address to give to his potential employers.
I could go one for days. I mean I really could.
Time For Breakfast!
Yes I Have No Bananas. [gofundme.com]
(Score: 2) by Runaway1956 on Tuesday July 31 2018, @04:28PM (2 children)
http://www.obitsarchive.com/obituaries/usa/louisiana?lname=Crawford&fname=Marion&formDate=&kwinc=&sort=dsc [obitsarchive.com]
Marion Lucille Crawford Spann, deceased in Baton Rouge, 1/20/2017. Another Marion Crawford died April 28, 2000, but he's not likely your Crawford. Marion seems a masculine name to me, but Marion Lucille sounds more feminine. The Spann at the tail end of the name makes me think Crawford was a maiden name, Spann the married name? Ehhh, who knows. Then again maybe not even related to your Crawford.
I clicked the direct link to Crawford's obit, but you have to have an account to actually view it.
(Score: 2) by MichaelDavidCrawford on Tuesday July 31 2018, @06:17PM (1 child)
I was just _joking_ about Marion's suicide.
Yes I Have No Bananas. [gofundme.com]
(Score: 3, Funny) by requerdanos on Wednesday August 01 2018, @12:11AM
Death would not be nearly as likely to stop the "Job opening for you" e-mails as correcting the e-mail address would be.
(Score: 1, Touché) by Anonymous Coward on Tuesday July 31 2018, @03:17PM
You will go to jail
(Score: 0) by Anonymous Coward on Tuesday July 31 2018, @08:25PM
Please make a senator encryption backdoor analogy.
(Score: 3, Informative) by unauthorized on Tuesday July 31 2018, @11:37AM (1 child)
AMD too with their equivalent (the PSP), through the latter recently took some positive steps [phoronix.com] in that regard.
(Score: 4, Insightful) by requerdanos on Tuesday July 31 2018, @02:49PM
I agree, that's a positive* step, but in my (possibly paranoid) opinion, an option to "turn off" BIOS support for your computer's "built-in secret full-privelige rootkit controlled by not-you" still isn't very reassuring, because it doesn't make you magically have no "secret full-privelege rootkit controlled by not-you".
-------
* Well, maybe not positive; maybe "ever so slightly less negative."
(Score: 0) by Anonymous Coward on Wednesday August 01 2018, @04:57AM
This should be a global, world-wide recall. But.. Intel will walk free with no consequence or fix. Me, I want them to come and unsolder their faulty chips from every machine I have and replace it with a new one. I can dream.