Security news 27/11/2017
- For those who missed it last week, Intel has admitted another batch of fatal bugs in the Management Engine https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr. If by chance you missed the whole Management engine thing, it is simply a classified and unmuteable separate processor with its own running OS present directly on the silicon of all Intel processors since 2014, which operates at security level ring -3 (undetectable even for bios/uefi).
- Dell has already released a firmware update for all the machines (owned by most of our company). But there is no need to panic or to be in any extra hurry, as this is already the severalth event of this type in Intel ME https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr, from accepting a blank password https://arstechnica.com/information-technology/2017/05/the-hijacking-flaw-that-lurked-in-intel-chips-is-worse-than-anyone-thought/ to making the JTAG outputs of the processor available in USB https://news.ycombinator.com/item?id=15669262. There are more talks with this theme registered for the upcoming Black Hat conference, so having undetectable remotely exploitable holes in all the computers in the world is now the new norm, and we probably shouldn’t get excited about it anymore. Thank you Intel and let’s go on convincing our customers that security spending makes sense.
Author: František Řezáč