Subject: General Tech | July 19, 2018 - 02:53 PM | Jeremy Hellstrom
Tagged: security, patch, intel management engine, Intel, IME
A bit before Christmas last year, Intel provided sysadmins with a lovely present, vulnerabilities in the on chip Intel Management Engine which you could not even tell if they had been used to breach your systems. Intel have now publicly released four advisories pertaining to the IME, so that interested parties can investigate for themselves. These were already released to system builders and patches released, after a quite a long delay. This is better late than never ... assuming you are not running anything older than a fourth generation Core processor.
"Now that Intel's advisory is public, it's clear that Chipzilla has known the particulars for some time, and has been privately working with computer manufacturers to push fixes ahead of disclosure. For example, Lenovo emitted firmware fixes in April, and Dell no later than June."
Here is some more Tech News from around the web:
- Apple confirms its new MacBook Pro keyboard has a 'membrane' to prevent dust borkage @ The Inquirer
- Windows 10 IoT Core Services unleashed to public preview @ The Register
- Intel's 9th-gen 'Coffee Lake S' processors could debut in August @ The Inquirer
- Analyzing Graphics Card Pricing: July 2018 @ TechSpot
- Fork it! Google fined €4.34bn over Android, has 90 days to behave @ The Register
Subject: General Tech | December 7, 2017 - 01:45 PM | Alex Lustenberg
Tagged: podcast, xfx, Vega, Raspberry Pi, radeon, qualcomm, nicehash, Intel, IME, GTX 1070Ti, gddr6, evga, Elgato, dell, coolermaster, cluster, asus, arm, amd, AM4, Adrenalin Edition, 4k60, 10nm, video
PC Perspective Podcast #478 - 12/07/17
Join us for discussion on Windows on ARM, Intel 10nm rumors, and more!
The URL for the podcast is: http://pcper.com/podcast - Share with your friends!
- iTunes - Subscribe to the podcast directly through the iTunes Store (audio only)
- Google Play - Subscribe to our audio podcast directly through Google Play!
- RSS - Subscribe through your regular RSS reader (audio only)
- MP3 - Direct download link to the MP3 file
Hosts: Ryan Shrout, Josh Walrath, Jeremy Hellstrom, Allyn Malventano, Jim Tanous
Peanut Gallery: Alex Lustenberg
Program length: 1:39:42
0:03:30 PCPer Mailbag #020 - 11/30/2017
Week in Review:
News items of interest:
Subject: General Tech | December 4, 2017 - 07:05 PM | Tim Verry
Tagged: system76, security, linux, Intel, IME, dell
Update 12-5-2017: Dell has provided a statement in response to the IME news which is as follows:
- "Dell has offered a configuration option to disable the Intel vPro Management Engine (ME) on select commercial client platforms for a number of years (termed Intel vPro - ME inoperable, custom order on Dell.com). Some of our commercial customers have requested such an option from us, and in response, we have provided the service of disabling the Management Engine in the factory to meet their specific needs. As this SKU can also disable other system functionality it was not previously made available to the general public.
- Recently, this option was inadvertently offered online as a configuration option for a couple of systems on Dell.com. Customers interested in purchasing this SKU should contact their sales representative as it is intended to be offered as a custom option for a select number of customers who specifically require this configuration."
(End of update.)
Niche system vendors System76 and Purism are now joined by Dell in offering laptops with Intel's Intel Management Engine (IME) blackbox disabled. The company, one of the largest laptop manfacturers, currently offers three higher-end laptops with the configuration option of "Intel vPro™ - ME Inoperable, Custom Order" where for around $20 Dell will disable IME. IME has come under fire recently due to a major vulnerability that affects many of its Core series processors and has had bugs dating back years.
IME is baked into Intel processors dating back to 2008 and operates at what is known as Ring -3 meaning that it has privileges well above that of software, drivers, OS kernel, and even UEFI. IME is an autonomous subsystem with its own processor running its own software that has full control over the computer and even has its own networking stack. Intel has obfuscated that closed source code and has made it notoriously difficult to enable while also claiming it is necessarly for the processor to hit full performance. Security researchers and companies like Google have committed to disabling it (there is a way to turn it off though Intel has not documented it). IME can be used alongside Intel AMT / vPro features (Ring -2+) for remote management, and since IME runs even when the system is off it makes it easy to roll out OS upgrades and re-image machines. Home users however do not need IME, but have traditionally been stuck with it anyway along with its security holes. (Note that AMD has its own platform management subsystem with the PSP though it has not drawn nearly the high profile reputation Intel has with the latest bugs and promised patches.)
Specificlaly Dell is offering to disable IME for a small fee on the Latitude 14 Rugged laptop, Latitude 15 E5570, and Latitude 12 Rugged tablet which all run 6th Generation Core (6000 series and Core M) processors. Purism plans to sell PCs with IME disabled going forward and System76 has promised firmware updates for disabling IME on its PCs sold within the last few years. In reading about IME online, it seems that disabling IME is a tricky endevour with the potential to brick the system, but it can be done and the more documentation these vendors do the better for Linux, open source software, and security concious consumer proponents. For now you will have to pay a small fee to disable it but if you are worried about IME the peace of mind might be worth it. Also, with Dell now on board it shouldn't be long before other vendors start offering systems sans Intel Management Engine. Hopefully they are able to offer this IME disabled feature on models with the latest Intel processors as well for those that want it as the latest round of major bugs affected Skylake, Kaby Lake, and Coffee Lake CPUs.
What are your thoughts on this? Have your systems received an IME security patch? In any case, with the IME bugs, Mac OS High Sierra secuirty hole, and iOS encrypted backup loophole it has not been a good month for security!
- Intel Patches Major Flaws in the Intel Management Engine @ ExtremeTech