All I want for Christmas ... is an Intel firmware patch

Subject: General Tech | November 24, 2017 - 01:22 PM |
Tagged: Intel, 7th generation core, 6th generation core, 8th generation core, apollo lake, xeon, security

The issue with Intel's processors is widespread and a fix will not be available for some time yet.  The flaws in their security features are present in 6-8th gen Core chips, as well as a variety of Xeons, Celerons and Apollo Lake CPUs which accounts for a wide variety of systems, from gaming machines to NAS devices.  All suffer from the vulnerability which allows compromised code to run a system invisibly, as it will be executed below the OS on the actual chip.  From what The Register gleaned from various manufacturers, only Dell will release a patch before 2018 and even that will only offer a solution for a very limited number of machines.  The end of 2017 is going to be a little too interesting for many sysadmins.

View Full Size

"As Intel admitted on Monday, multiple flaws in its Management Engine, Server Platform Services, and Trusted Execution Engine make it possible to run code that operating systems – and therefore sysadmins and users – just can't see."

Here is some more Tech News from around the web:

Tech Talk

 

 

 

 

Source: The Register

November 24, 2017 | 01:47 PM - Posted by Phew (not verified)

Good thing i have the 5775-C

November 27, 2017 | 12:19 AM - Posted by Phil E (not verified)

You do? Wow, I thought I was the only one who bought that CPU.

November 24, 2017 | 02:32 PM - Posted by WTFisChipzillaUptoWithThatTannenbaum (not verified)

It's this and the Fact That UEFI is also an OS of sorts in itself that runs below OS ring 0 and that's even more problems of a SuperFish level.

Yes the Unified Extensible Firmware Interface(UEFI) is Extensible and pleny of good as well and nasty things can happen there if the devices' OEMs see extra $$$ in doing so! As well as the Security Risks of so much unvetted/unvalidated for security risks extending of that UEFI's Extensible framework by OEMs.

With all these hardware/firmware/ME weak links happening at levels even below the Type-1 Bare metal Hypervisor Level on the lower Rings of hardware/firmware/Intel Management Engine levels. It's all below 0, in these mad below 0-day pawnage levels of XMAS joy!
.
.
.
Oh Tannenbaum! Oh Tannenbaum!

Your OS's Pawnage frightens us!

It Runs below Ring Zero in ways that don't adhere to!

Best standards of security!

Your OS has been included in so much nefarious doings!

By three letter agency miscreants!

And crooked online princes!

Oh Tannenbaum! Oh Tannenbaum!

Your OS's Pawnage spites us!

November 27, 2017 | 12:21 AM - Posted by HTE (not verified)

You seem to know big words, but not how to put them together in a coherent manner.

November 24, 2017 | 03:16 PM - Posted by Krom (not verified)

Probably the best way to patch up and get rid of these easily exploited technologies is to show proof of concept using them to disable/circumvent DRM and other forms of copy protection.

Nobody cares about consumer privacy or security because the penalty for failing there is practically nothing, but circumventing copy protection/DRM on the other hand could easily bring a few actually expensive lawsuits down that even a giant like Intel would be hard pressed to write off as the cost of doing business.

November 24, 2017 | 05:51 PM - Posted by vailr

A good source for Intel ME update info is:
https://www.win-raid.com/t596f39-Intel-Management-Engine-Drivers-Firmwar...
Contrary to what this pcper.com article seems to imply, it is possible for end users to update to the latest Intel ME firmware, even if the board manufacturer is being laggard in that regard.
Side note: a company called Purism offers laptops that have the Intel ME firmware disabled:
https://puri.sm/products/

November 27, 2017 | 12:33 AM - Posted by TimeToPanicOverTheHolidays (not verified)

I thought some folks were working on getting their computers working with that shit turned off, or at least running in a limited mode where it just does what most people think it does, manage the chipset functions. They were slowly chipping away at the code to this omnipresent beast and I remember reading that their only hang-up was the trial and error being costly as the FPGA or whatever the shit's printed on physically blows fuses when you try to flip bits and reprogram it. Bum.. bum bum, bum bum. Shit inside! And on top of that it turns the computer off after 30 minutes if it knows you've disabled it. Some will blame the NSA or CIA for making Shitel put the backdoor there in the first place. People without tinfoil in their wardrobes hope it started with good intentions and was just poorly executed. No one can deny that it is going to be a MAJOR problem for EVERYONE if some rooskie gets in to it and learns the exploits.

November 25, 2017 | 08:53 PM - Posted by spartibus

Consumers need to be given the ability to shut down the IME entirely.

November 27, 2017 | 03:52 AM - Posted by Johan (not verified)

Yes people can do bios updates without the manufacturer giving the green light, but when it comes to system critical installations and server farms, no sysadmin is going to take the chance and put his job on the line for it.

This is a serious problem for Intel and time will tell how serious. I for one will be very wary of Intel products for now.

To update an OS security patch is not a difficult task, but to update motherboard bioses can be quite a hassle. Just think if you have to update rows and rows of servers' motherboards, your cloud servers won't be of line just for a few minutes. Then there is always the chance that the flash might not work right or brick a motherboard. Although proper flashing should not be a problem, there is always Murphy's law...

November 27, 2017 | 09:25 PM - Posted by Veer (not verified)

Asus Z170a boards already have a patch available.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <blockquote><p><br>
  • Web page addresses and e-mail addresses turn into links automatically.

More information about formatting options

By submitting this form, you accept the Mollom privacy policy.