Business PCs from Dell, Lenovo, HP and others contain flawed software that shipped with Intel processors
The US Department of Homeland Security has warned businesses to take action after Intel issued an alert about a flaw with some of its widely used processors.
The law concerns the “Management Engine” (ME), which was until now a little known ‘master controller’ from Intel that shipped with eight types CPUs since 2008.
These processors were typically used in business computers sold by Dell, Lenovo, HP and others, and could potentially mean that millions of computers are now exposed to the flaw.
As a result, Intel has issued a critical firmware update for the ME, available here. Intel said it was responding after the flaw was discovered last week by external researchers.
“In response to issues identified by external researchers, Intel has performed an in-depth comprehensive security review of its Intel Management Engine (ME), Intel Trusted Execution Engine (TXE), and Intel Server Platform Services (SPS) with the objective of enhancing firmware resilience,” the chip giant noted.
“As a result, Intel has identified several security vulnerabilities that could potentially place impacted platforms at risk,” it added. “Systems using ME Firmware versions 11.0/11.5/11.6/11.7/11.10/11.20, SPS Firmware version 4.0, and TXE version 3.0 are impacted.”
The management engine essentially interfaces with system firmware during the boot up process. It therefore has direct access to system memory, the screen, keyboard, and network.
The ME code is said to be highly secret, but last week new vulnerabilities in the Active Management (AMT) module in some MEs meant that computers using Intel CPUs could be vulnerable to remote and local attackers.
And now the US government has waded into the issue, after the US Department of Homeland Security issued guidance on the matter, Reuters has reported.
It has warned system admins to review the warning from Intel, which includes a software tool that checks whether a computer has a vulnerable chip. It also urged admins to contact their computer makers to obtain software updates and advice on strategies for mitigating the threat.
“US-CERT encourages users and administrators to review the Intel links below and refer to their original equipment manufacturers (OEMs) for mitigation strategies and updated firmware,” said the US government in its advisory.
Does IoT security concern you?
- Yes (89%)
- No (11%)
Earlier this year Intel patched a remote execution flaw in millions of its workstation and server chips that remained under the radar for nine years.
That vulnerability, which has also been present since 2008, could have allowed hackers to gain system privileges in vulnerable computer hardware rather than go through the operating system, thus avoiding detection.
These flaws come at a time when Intel is spinning out is security division into the reinvigorated McAfee brand.
Quiz: What do you know about Intel?