back to article ME! ME! ME! – Intel's management tech gets a quartet of security fixes

In case you missed it, Chipzilla has gone public with more security updates for the Intel Management Engine. The advisories, here and here, address four exploitable bugs. Positive Technologies, which discussed the bugs in detail here, identified CVE-2018-3628, a “Buffer overflow in HTTP handler” as the most serious. That's …

  1. Will Godfrey Silver badge
    Unhappy

    Again?

    Yet more buffer overruns, one of which is related to html - something not noted for tight in-built sanitation. I was going to ask "What were they thinking?" but clearly somebody wasn't.

    1. Anonymous Coward
      Anonymous Coward

      Re: Again?

      Maybe they were thinking (when they shipped this) that shiny shit sells, based on share-prices and similar historic evidence.

      Apparently it still does sell. It's probably going to carry on doing so, until the people in the corporate boardrooms start to feel their own personal share of the pain, as well as taking their own personal share of the gain.

      "Our time as victims is over

      We will no longer ask for justice

      Instead we will take our retribution"

  2. Anonymous Coward
    Anonymous Coward

    compulsary remote management

    Now who would want that in a home PC?

    1. Jim Mitchell

      Re: compulsary remote management

      Typical PC sold for "home" use isn't going to have the vPro that has these flaws, I think.

      1. bombastic bob Silver badge
        WTF?

        Re: compulsary remote management

        "Typical PC sold for "home" use isn't going to have the vPro that has these flaws, I think."

        yeah, right, "restrict" home users to an INFERIOR model? i don't think so. Yeah I know that's an extreme 'straw man' kind of position but I'm using that illustration to make the point that ANYBODY should be able to have ANYTHING HE WANTS and if it's a "business" version, then so be it.

        Besides, the problem here isn't whether or not a user is a 'home user'. the problem is that INTEL PUT THIS THING INTO THE SILICON. It is a _REASON_ to _NOT_ use their silicon.

        HEY INTEL how about an UPDATE to LET US CANONICALLY SHUT THE @#$% *OFF*???

  3. Chronos
    Big Brother

    Just kill it already

    As title. This and AMD's SP is toxic tech and another pointless malware vector. Disable it by default and allow people to chose. Or is there some three-letter reason you two are shipping parts with this crap activated?

  4. JMiles

    "The Intel Core 2 Duo vPro, Intel Centrino 2 vPro, 1st Generation Intel Core, 2nd Generation Intel Core, and 3rd Generation Intel Core won't get patches because they are now so old that Chipzilla no longer supports them." - so they put in this ME stuff that a multitude of security experts said was a bad idea at the time and now want to claim its too old to support? How about just offering the option to disable ME for old chips that should never have shipped with this trash in the first place?

    Cue US law suit please.

    1. Jim Mitchell

      You want infinite time limit on product security defect liability? Even most criminal violations are time barred at some point.

      1. whitepines

        And most patents expire after ~20 years. Copyright and related DRM, it seems, are forever, so why would liability during the copyright period be unusual?

  5. mark l 2 Silver badge

    I was considering changing out my 10 year old Dell laptop with an AMD CPU for something newer as I have maxed out what RAM it will take, but the more i read the more i think I am better off holding on to it until these flaws have been fixed and this management engine BS can be disabled completely as I don't require it on a home computer.

  6. OrneryRedGuy

    Glue

    The solution seems quite simple: fill the onboard ethernet port with glue, and drop in a non-Intel network card. My understanding is that the ME network interface is only exposed through network interfaces provided by Intel chipsets (and only certain ones at that?). Laptop users may have to resort to using an external dongle if they can't replace the built-in Intel wifi.

    1. Anonymous Coward
      Anonymous Coward

      Re: Glue

      "The solution seems quite simple: fill the onboard ethernet port with glue, and drop in a non-Intel network card. "

      I did that a decade ago. I'd bought an ex-lease corporate desktop for home use, partly so I could remotely access the thing via AMT/vPRO while I was working away, without needing its OS to be alive (and without spending a fortune on corporate IPkvm gadgets that cost hundreds of dollars to achieve the same thing via a relatively leakproof setup of VGA cable and frame grabber).

      Then I bought a similarly equipped corporate laptop for similar reasons, by that time a laptop had become a computer with a convenient built-in battery backed up power supply.

      Who'd have thought, a decade ago, that such remote access features could be used for nefarious purposes, especially if they were overcomplicated and underprotected and universally active (but not universally visible to the punter).

  7. whitepines
    Linux

    Of course for us Linux users there are other options. POWER9, ARM, RISC-V, you name it. The former in particular could replace these factory-backdoored Intel / AMD systems pretty easily, if https://www.phoronix.com/scan.php?page=article&item=power9-talos-2&num=1 is anything to go by.

    1. stephanh

      I 've got the Power

      Looked at the "Talos™ II Desktop Development System".

      At $5,120.00 for the entry-level model, it is almost conceivable to own one.

      1. whitepines

        Re: I 've got the Power

        Looks like there are also much cheaper versions, checking out the Twitter feed:

        https://twitter.com/RaptorCompSys/status/1020028291078676480

        https://twitter.com/RaptorCompSys/status/1020371675316215809

  8. This post has been deleted by its author

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon