Intel Fixes Yet Another Flaw In Management Engine

[Guest]

Positive Technologies discovered a new vulnerability in Intel's Management Engine that could allow hackers to compromise sensitive information.

Intel Fixes Yet Another Flaw In Management Engine : Read more

 

[Kaz_2_]

completely fix the problem or partial?

 

[alan_rave]

They have fixed it, but guess we will see more vulnerabilities. Totally save is when the pc is off)

 

[stevewood963]

These processors and chipsets defective from the beginning and should have been replaced by intel. Eventually their will probably be a class action suit because they were sold a new and without flaws. I will never buy a intel chip or chipset again because of this.

 

[redgarl]

It is a patch... something else will show up.

 

[Deleted member 2449095]

Whenever I read about another vulnerability in Intel's ME I ask myself. Why is it enabled in products for regular users. I don't need it. It's for administrators. Even if the possibility of my system being affected is remote, why bother selling a bucket that has a hole in it. Just disable it. It's not like processor manufacturers are strangers to such practice.

 

[Peter Martin]

Yeah and I bet it’s all the stuff causing all the stuttering in games and whatnot. Crap NSA backed design. I’ll never buy an Intel product ever

 

[deadsmiley]

Intel hasn't "fixed" Spectre yet. They just enabled a flag that can be turned on to prevent the attack, but it slows down the PC. Enabling the flag is completely optional. Look for Linus Torvald's rant about that.

 

[WINTERLORD]

i read this article to bad it didnt include a link in the article for convince. done updates before and many but for some reason had a hell of a time finding this update

 

[pdxitgirl]

STEVEWOOD963 said:
"These processors and chipsets defective from the beginning and should have been replaced by intel. Eventually their will probably be a class action suit because they were sold a new and without flaws. I will never buy a intel chip or chipset again because of this."

What planet are you from!?! a) They don't recall for things like this, they patch; b) NO product or service is sold "without flaws" (new has nothing to do with it), and any user agreement states that this should never be assumed; c) No class action would ever be considered on something like this, when it can just be patched or disabled; and d) ALL processor manufacturers, like anything else, have vulnerabilities, AMD included.

This product isn't "defective," it has a *potential* security flaw. Previous Management Engine flaws were addressed, and Intel gave the option to disable it altogether. Even so, standard NAT firewalls prevent this engine from being exposed to the outside world so it really doesn't matter for the average consumer.

Good luck ever finding a technological device without flaws or vulnerabilities!


T.S.WIACEK said:
"Whenever I read about another vulnerability in Intel's ME I ask myself. Why is it enabled in products for regular users. I don't need it. It's for administrators. Even if the possibility of my system being affected is remote, why bother selling a bucket that has a hole in it. Just disable it. It's not like processor manufacturers are strangers to such practice."

Intel CPUs are used in all sorts of products, often in a business environment. These types of management interfaces are in most modern processors, whether you as a consumer would use it, or not. And yes, usually Intel offers the ability to disable it altogether (a requirement, if I'm not mistaken, given by the NSA). But they aren't going to just "not sell it" because a theoretical vulnerability was discovered, one that has never been seen in the wild and is enormously unlikely to ever be exploited.

And no, IT is NOT just "for administrators." You do IT yourself whenever you manage your own computer. And they don't just redesign their products simply because you're a home user and won't make use of all the features. Believe it or not, some home users DO make use of these things.

 

[pdxitgirl]

WINTERLORD said:
"i read this article to bad it didnt include a link in the article for convince. done updates before and many but for some reason had a hell of a time finding this update"

Don't even worry about it. This, like the other Management Engine vulnerability, and the overhyped Spectre and Meltdown vulnerabilities, are theoretical, potential vulnerabilities that so far, nobody has ever seen in the wild, that would require a ton of work just to implement. In every case, the cure was far, far worse than the actual disease. One of Microsoft's patches for either Spectre or Meltdown actually OPENED UP a whole score of vulnerabilities far worse than what it was supposed to patch.

Just more hype and nonsense. And I've had too many crashes & problems this year from Microsoft's and Intel's "critical security updates" this year.

 

[pdxitgirl]

Geez guys, don't any of you proofread before you comment? Check your grammar? There IS a spell checker built into your browser, you know.

PETER MARTIN wrote:
"Yeah and I bet it’s all the stuff causing all the stuttering in games and whatnot. Crap NSA backed design. I’ll never buy an Intel product ever"

I doubt that's what's causing the stuttering, as we haven't seen the Management Engine vulnerabilities exploited in the wild and it's not connecting to anything unless you're explicitly using it to manage workstations on your network.

HOWEVER, there are too many "convenient" vulnerabilities I've seen publicized over the past two years or so, from the various Intel vulnerabilities to the big OpenSSH vulnerability a couple years ago, many of which have been known, and have existed, for YEARS without action -- I wouldn't doubt that the NSA, CIA, or the like had various companies implement backdoors of various types into their products. The OpenSSH vulnerability was too neat & convenient. We already know these agencies write their own malware to infected specific targets, and we've seen proof of their obtaining master encryption keys from some commercial Certificate Authorities that allows them to decrypt anything encrypted by certs from those CAs. With all of that, combined with countless troubling vulnerabilities constantly popping up from firewall, UTM, & security appliance vendors tells me that it's likely they had "backdoors" of sorts put in to all of those products that allowed them to exploit them in order to gain access to targeted computers and networks. I've never seen so many get exposed as we've seen in the last couple years. So it wouldn't surprise me one bit to learn that these were their doing.

It really makes me wonder how secure ANY of these systems really are, if any of the security even we professionals THINK we have, even exists. From everything I've gathered, RSA with a sufficiently long key length like 2048-bit is still unbreakable, as is AES, but that depends on the security of your keys (and running patched OpenSSH to generate them). Not using commercial CAs helps. But outside of the encrypted communications, how many of the other systems can the alphabet agencies gain access to at any time they want? And if they can, how many other nefarious entities can as well?

As always, don't store stuff that could get you into trouble in the cloud or on your phones, and encrypt anything sensitive on your computer. Store sensitive stuff offline such as on a USB drive that you disconnect when you're not using it. If it's really sensitive, USE PAPER! In the end, nothing is unhackable, but you can at least make it difficult enough that nobody will bother trying. And why are you keeping things that could get you into that kind of trouble, anyhow!?!

One thing is certain, too many people get their own personal files hacked and their identity stolen in situations that are completely preventable with just minor effort. Politicians especially seem to fall prey to this. Maybe, just maybe someday people will get smart and stop making it so easy for others to ruin their lives over this kind of thing!