
Intel Management Engine Critical Firmware Update - osivertsson
https://www.intel.com/content/www/us/en/support/articles/000025619/software.html
======
AdmiralAsshat
So is this actually a critical vulnerability, or is this just Intel plugging
one of the recently-found exploits that lets us disable the IME?

~~~
canada_dry
BING BING BING

Guaranteed it's the latter. Intel isn't about to give up the huge contracts it
has with NSA.

~~~
rubatuga
Any proof?

~~~
CamperBob2
After the Snowden disclosures -- never mind the whole Room 641A business (
[https://en.wikipedia.org/wiki/Room_641A](https://en.wikipedia.org/wiki/Room_641A)
) -- I think the only safe assumption is bad faith on the part of both
government and industry.

In fact, that's the whole problem with extrajudicial domestic spying. In
defiance of the principles of both justice _and_ logic, the innocent are
presumed guilty, and the burden of proof is shifted to the skeptics.

------
ajdlinux
What's changed in this advisory since it was first issued November 20? Just
more vendor links?

------
partycoder
The Intel Management Engine IS the vulnerability.

Read this like: We are patching our backdoor so no one but us and our
undisclosed friends can own you whenever we want.

~~~
agumonkey
This could prove harmful. If people analyze the patch they might get more
information

------
chinathrow
I wonder the long term effect on unpatched MEs out there.

What would a skilled attacker use it for? Hack nearby laptops of folks within
the cryptocurrency world?

~~~
bhouston
Could one write a worm that worked purely on the Intel me, spread machine to
machine via me Ethernet monitoring, that could then look at the local hd for
crypto keys and report them back to a remote server?

Is the above theoretically possible?

~~~
userbinator
I envision a worm that disables the ME completely once it's found and
"infected" another few. Perhaps show a message that says "Your computer is now
owned... by you." That would certainly raise some interesting discussion about
ethics...

~~~
tqkxzugoaupvwqr
While this is possible, people with dark motives are clearly incentivized
more.

------
Animats
Intel:

 _A status of may be Vulnerable is usually seen when either of the following
drivers aren 't installed:_

 _Intel® Management Engine Interface (Intel® MEI) driver_

 _Intel® Trusted Execution Engine Interface (Intel® TXEI) driver_

If adding closed-source Intel drivers is a "fix" for a vulnerablity, that
sounds like a way to get a Trojan onto your system.

Who audits Intel?

~~~
kogir
Without the drivers the tool can’t check, so it has to report “may be
vulnerable”.

------
mark_l_watson
Apple is not on vendor list. Q: Why not?

~~~
tgragnato
> Intel® ME 11.0.0-11.7.0

Apple is shipping 10.0 with High Sierra.

~~~
mjg59
Not if they're using Skylake or later CPUs

------
SpikeDad
I remove the drivers during deployment. How much does that reduce the
vulnerability footprint? Assuming that Lenovo has indeed enabled the firmware
write protect feature that Intel describes?

~~~
pmorici
Not installing the drivers prevents your OS from interacting with ME but I
don't think it changes the fact that ME has exceptional access to your
computer.

------
api
What value does the ME actually offer the user? Why is it even there?

~~~
0xcde4c3db
As far as I've read, it's more targeted at corporate deployments when the
owner/administrator and user aren't the same person or authority. It allows
things like remotely reimaging the machine if the OS install gets screwed up,
deleting encryption keys if the machine is stolen or otherwise compromised,
verifying that the mandatory "endpoint protection suite" is actually running,
etc..

~~~
wolf550e
But also secure boot and full disk encryption and SGX.

~~~
mrmondo
You don’t need intel ME for full disk encryption? Or is that a Windows only
requirement I’m unaware of?

~~~
wolf550e
I think some laptops don't have a hardware TPM and use software running on ME
instead.

