Intel has released a firmware that closes security holes in processors and chipsets from the manufacturer. The vulnerabilities affected desktop PCs, servers, and IoT devices. Manufacturers are reluctant to update their devices.
With Intel’s Management Engine (ME), administrators can remotely take control of a computer. For example, devices can be serviced without having an IT expert on site. A meaningful thing. At the same time, however, the ME is interesting for attackers, because with it all the settings of a computer can also be changed from another location and so foreign computers can be taken over. For years, this feature has been considered by security experts as the biggest flaw in Intel’s chipsets.
Intel has now announced that there are a number of critical vulnerabilities in the management engine and the server platform services remote maintenance software that is based on the ME. This also affects so-called Trustet Execution Technology (TXT). The TXT is a hardware extension of the CPU and chipset that ensures a trusted environment and ensures that programs can not access other applications without permission. Intel has incorporated TXT into numerous newer processors for business desktop platforms.
In addition, the chip manufacturer has provided a firmware for its vulnerable processors and chipsets, which should close the vulnerabilities.
The problem: Because the affected chipsets and processors reside in servers, desktops, and Iot devices, users must wait for an update from the system manufacturer. On a support page, Intel lists all companies that have released an update for their systems. Dell and Lenovo have been the first to provide patches.
Intel Advice to the users
Intel advises users of other systems to contact the manufacturer or vendor of their device to inquire about when an update will be released. In some cases this could take a while.
What impact the ME vulnerabilities have is unknown. It withholds information. “That looks pretty serious, but we’re not sure yet how easy the vulnerabilities will be,” said cryptographer and developer Filippo Valsorda. Affected are a whole series of systems. Intel seemed worried enough to see what the chipmaker’s reaction was.
Security expert Matthew Garrett writes on Twitter: “Based on the information we’ve learned, we do not know how serious the situation really is. It could be completely harmless, or a huge thing. “