SoylentNews is people
SoylentNews
Not that anyone is surprised or even cares but two more severe bugs have been found in the Intel Management Engine firmware. They allow remote execution with full privileges:
https://nvd.nist.gov/vuln/detail/CVE-2018-3627
https://nvd.nist.gov/vuln/detail/CVE-2018-3628
An article about these vulnerabilities on Tech Republic provides summaries and lists the affected processors.
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
(1)
To stand and be still,
At the Birkenhead drill,
Is a damned tough bullet to chew.
-- Rudyard Kipling
(Score: 0) by Anonymous Coward on Tuesday July 31 2018, @10:22AM (16 children)
The important thing isnt really the existence of the bugs, but the performance impact of patching them. How much slower is a fully patched computer with an intel cpu today than a year ago?
(Score: 1, Informative) by Anonymous Coward on Tuesday July 31 2018, @10:30AM
Those concerns are apt for Meltdown and Spectre related bugs. But this is the separate IME, which is Intel's bug-riddled
spyingmonitoring system.(Score: 5, Informative) by fraxinus-tree on Tuesday July 31 2018, @10:31AM (13 children)
Patching Intel ME bugs is not related to performance.
(Score: 0) by Anonymous Coward on Tuesday July 31 2018, @11:14AM (12 children)
Then is this really a big deal, I mean other than intel forcing an unecessary feature upon their customers?
(Score: 2) by MichaelDavidCrawford on Tuesday July 31 2018, @11:17AM (9 children)
Other people such as the Sicilian Mafia, the Russian Mob, the Japanese Mafia, the Chinese Tong or the Occasional Nigerian Sole Proprietor [warplife.com].
Have A Nice Day! 3 :-D 3
Yes I Have No Bananas. [gofundme.com]
(Score: 5, Interesting) by bzipitidoo on Tuesday July 31 2018, @12:39PM (8 children)
Got to use a car analogy here.
Tell me, is it a big deal if it's your car on which someone else could Manage your Engine? Suppose it could take over the controls at any time and drive your car with you and yours in it to any destination they like. Maybe to the nearest police station, after informing the cops that you have illegal drugs in your car?
And further, suppose it has severe bugs, which allow hackers to remotely access it at will, and also which might cause it to drive your car off the side of the nearest high bridge, or cross the median and crash you into oncoming traffic?
Now, imagine these puppies at the heart of medical devices vital to your continued good health. Yeah, that Management Engine is looking real scary stoopid now. Worse than Spectre, which after all can only be used to access data it shouldn't be able to access. Obviously Intel did not bother to formally verify the ME's functionality, or it wouldn't have these bugs.
(Score: 5, Informative) by requerdanos on Tuesday July 31 2018, @01:00PM (6 children)
I am pretty sure this goes by the name brand "OnStar" (and as an additional feature also tracks your every movement for the benefit of law enforcement and intelligence agencies) and, while malevolent*, is considered by the majority of the car-buying public as no big deal at all--a desirable feature in fact.
Don't get me wrong, the non-optional forced-on-you "management engines" are evil agents of disaster and should be eradicated; they are a big deal.
But we who think so are the frogs who think the water seems to be getting warmer here in the kettle, and are crying "the water is going to boil!" to the vast majority of other seasoned and tenderized frogs who hear us and mutter "alarmist idiots."
-----
* I get regular e-mails from OnStar with things like "only xxx miles until your next scheduled oil change" and "your tire pressure is low" for a "Chevrolet Silverado" belonging to someone who gave the dealer my e-mail address instead of theirs [xkcd.com]. I've contacted OnStar and told them (they won't make changes on the account unless I give them personal information identifying the specific vehicle or account holder), I've contacted the dealer listed at the bottom of the e-mails (they say contact OnStar), no dice. OnStar does not care about your privacy, as part of their very nature, but I've learned they don't even care about appearing to care. Maybe one day I'll just mail all the reports to the owner of the vehicle telling them how I notified OnStar and the dealership about their personal information going to a stranger, with copies to news agencies. Or maybe not. What does Soylent think?
(Score: 4, Informative) by The Mighty Buzzard on Tuesday July 31 2018, @01:04PM
Is this even a question? Sounds like fun for the whole family.
My rights don't end where your fear begins.
(Score: 2) by MichaelDavidCrawford on Tuesday July 31 2018, @01:38PM (3 children)
It happens that my own email is mdcrawford@gmail.com.
Most serious is that Dr. Crawford of I think Sydney Australia doesn't get the email that informs his hospital's staff that a particularly sick patient has arrived and is waiting for Dr. Crawford to transplant one of their organs.
Most absurd is that I looked up some other m.d. crawford's phone number in _my_ profile in Bing Webmaster tools then rang him up to point out that he's been giving out my email address and not his own correct one.
And yes he really _did_ ask "How did you get my number?".
He wasn't trying to use Bing Webmaster Tools, he was trying to get a job at Microsoft.
It happens that a certain Marion Crawford of New Orleans, Louisiana was looking for auto mechanic work for quite a long time. I don't know whether his time of unemployment led him to take his own life or whether he finally clued in to the right email address to give to his potential employers.
I could go one for days. I mean I really could.
Time For Breakfast!
Yes I Have No Bananas. [gofundme.com]
(Score: 2) by Runaway1956 on Tuesday July 31 2018, @04:28PM (2 children)
http://www.obitsarchive.com/obituaries/usa/louisiana?lname=Crawford&fname=Marion&formDate=&kwinc=&sort=dsc [obitsarchive.com]
Marion Lucille Crawford Spann, deceased in Baton Rouge, 1/20/2017. Another Marion Crawford died April 28, 2000, but he's not likely your Crawford. Marion seems a masculine name to me, but Marion Lucille sounds more feminine. The Spann at the tail end of the name makes me think Crawford was a maiden name, Spann the married name? Ehhh, who knows. Then again maybe not even related to your Crawford.
I clicked the direct link to Crawford's obit, but you have to have an account to actually view it.
Abortion is the number one killed of children in the United States.
(Score: 2) by MichaelDavidCrawford on Tuesday July 31 2018, @06:17PM (1 child)
I was just _joking_ about Marion's suicide.
Yes I Have No Bananas. [gofundme.com]
(Score: 3, Funny) by requerdanos on Wednesday August 01 2018, @12:11AM
Death would not be nearly as likely to stop the "Job opening for you" e-mails as correcting the e-mail address would be.
(Score: 1, Touché) by Anonymous Coward on Tuesday July 31 2018, @03:17PM
You will go to jail
(Score: 0) by Anonymous Coward on Tuesday July 31 2018, @08:25PM
Please make a senator encryption backdoor analogy.
(Score: 3, Informative) by unauthorized on Tuesday July 31 2018, @11:37AM (1 child)
AMD too with their equivalent (the PSP), through the latter recently took some positive steps [phoronix.com] in that regard.
(Score: 4, Insightful) by requerdanos on Tuesday July 31 2018, @02:49PM
I agree, that's a positive* step, but in my (possibly paranoid) opinion, an option to "turn off" BIOS support for your computer's "built-in secret full-privelige rootkit controlled by not-you" still isn't very reassuring, because it doesn't make you magically have no "secret full-privelege rootkit controlled by not-you".
-------
* Well, maybe not positive; maybe "ever so slightly less negative."
(Score: 0) by Anonymous Coward on Wednesday August 01 2018, @04:57AM
This should be a global, world-wide recall. But.. Intel will walk free with no consequence or fix. Me, I want them to come and unsolder their faulty chips from every machine I have and replace it with a new one. I can dream.
(Score: 3, Informative) by Anonymous Coward on Tuesday July 31 2018, @10:33AM (4 children)
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00112.html [intel.com]
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00118.html [intel.com]
(Score: 0) by Anonymous Coward on Tuesday July 31 2018, @05:12PM (2 children)
alright... its 6.5hrs later, none of the posters seem to have read the details of the neat and easy to verify subnet-takeover exploit while the top-rated post is about cars.
(Score: 2) by The Mighty Buzzard on Tuesday July 31 2018, @07:19PM
I dunno about the rest of them but I don't particularly care about the details. I'm using pre-PSP AMD chips in all my local boxen still. And likely will be as long as they live or I can get replacement parts. Or until RISC-V becomes a viable alternative.
My rights don't end where your fear begins.
(Score: 4, Insightful) by requerdanos on Tuesday July 31 2018, @07:50PM
I wouldn't say no one's read the details; merely that no one's posted about them here, and no wonder. For BOTH of those links, the official Intel "Summary" reads as follows:
For convenience, I have highlighted the parts that are either empty buzzwords or outright lies in italic text that the reader may more easily identify threats to their personal and/or organizational security (i.e., all of them).
Because "continuously enhanced firmware resilience" of Intel's full-privilege rootkit on your computer means simply that they want to hold their own hands more firmly to your throat, as opposed to someone else's, the details that follow that are interesting, sure, but aren't the bigger story. As such, those security details might be less closely followed than the overarching privacy story.
(Score: 0) by Anonymous Coward on Thursday August 02 2018, @07:17AM
This really amounts only to Not guilty, your Honor!
Sure, it's one side to be considered but certainly not to be given undue weight.
(Score: 3, Insightful) by MichaelDavidCrawford on Tuesday July 31 2018, @11:14AM (4 children)
You say that like it's a bad thing.
Yes I Have No Bananas. [gofundme.com]
(Score: 5, Informative) by stormwyrm on Tuesday July 31 2018, @01:14PM (3 children)
Numquam ponenda est pluralitas sine necessitate.
(Score: 2) by DannyB on Tuesday July 31 2018, @01:33PM (2 children)
If management is good, then remote management must be even gooder.
If you eat an entire cake without cutting it, you technically only had one piece.
(Score: 2) by bob_super on Tuesday July 31 2018, @04:25PM (1 child)
And the supremely goodest thing is remote management which does not disturb the computer's user by leaving tracks or requiring permissions.
(Score: 4, Insightful) by DannyB on Tuesday July 31 2018, @04:45PM
Even much more better is if the remote management can be done when the user has "turned off" the computer.
If you eat an entire cake without cutting it, you technically only had one piece.
(Score: 3, Insightful) by Thexalon on Tuesday July 31 2018, @12:59PM (12 children)
The NSA now has a new way of getting into Intel-based machines.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 4, Insightful) by The Mighty Buzzard on Tuesday July 31 2018, @01:06PM (2 children)
Almost certainly doesn't need one though. I have no doubt whatsoever that they had the keys to the kingdom on every Intel box that had it within two weeks of the IME shipping.
My rights don't end where your fear begins.
(Score: 2) by bob_super on Tuesday July 31 2018, @04:31PM (1 child)
Pretty much by definition.
The NSA advises/controls purchases for millions of computers deemed "sensitive". Intel has regular meetings with them to show them the latest boot/firmware code, in exchange for which they occasionally get told to fix a bug or two, and get to sell to that market.
(Score: 0, Disagree) by Anonymous Coward on Wednesday August 01 2018, @08:06AM
FTFY
(Score: 2) by DannyB on Tuesday July 31 2018, @01:37PM (8 children)
Allow me to speculate wildly.
Once upon a time the NSA had a way into all PCs via an NSA malware tool known as Windows.
Linux growth spoiled that. Shame, shame!
Now we have compromise baked directly into the hardware. What could be better? And best of all, the end users pay for it!
If you eat an entire cake without cutting it, you technically only had one piece.
(Score: 4, Touché) by Thexalon on Tuesday July 31 2018, @02:32PM (7 children)
Counterpoint: They can still get in by taking advantage of the malware tool known as "systemd".
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by DannyB on Tuesday July 31 2018, @03:10PM (2 children)
That is a Touché!
If you eat an entire cake without cutting it, you technically only had one piece.
(Score: 0) by Anonymous Coward on Tuesday July 31 2018, @04:32PM (1 child)
Show us on the teddy bear where pedobear touchéd you.
(Score: 4, Funny) by The Mighty Buzzard on Tuesday July 31 2018, @07:22PM
Douché.
My rights don't end where your fear begins.
(Score: 0) by Anonymous Coward on Tuesday July 31 2018, @09:15PM
Intel has been patching old firmwares, sometimes even multiple times... but they only distribute some of them, nevermind all are marked as ready.
Example with two unreleased updates (or three, where is 0x08?) https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903141 [debian.org]
So why update them and later keep them? Only for NSA machines?
(Score: 2) by eravnrekaree on Wednesday August 01 2018, @03:08AM (1 child)
This is so misinformed its really astounding. You can configure systemd to your hearts content. Its open source. You control it. If you would actually look into it rather than rattle off some canned token phrase you heard someone else say, you would know that.
(Score: 0) by Anonymous Coward on Thursday August 02 2018, @02:59PM
Configure? How about change?
Let's start with decoupling it from the Dessktop so it can act only as an init
(Score: 0) by Anonymous Coward on Thursday August 02 2018, @02:56PM
Does anyone comprehend SystemD enough to do that and not unintentionally break stuff?
(Score: 2) by Arik on Tuesday July 31 2018, @01:21PM (2 children)
If laughter is the best medicine, who are the best doctors?
(Score: 2) by The Mighty Buzzard on Tuesday July 31 2018, @07:22PM
Damn you, stackoverflow!
My rights don't end where your fear begins.
(Score: 0) by Anonymous Coward on Wednesday August 01 2018, @08:04AM
(Score: 2) by eravnrekaree on Wednesday August 01 2018, @03:05AM (1 child)
Its not surprising but its something I would care about. The whole Intel ME concept is a turd and should be discarded. The basic problems have been mentioned many times before as to why the concept is fundamentally flawed. It does not provide greater security, everything it does should be done at the OS level.
(Score: 0) by Anonymous Coward on Thursday August 02 2018, @02:52PM
Somehow I doubt they care what you or anyone else thinks