US Government Warns Businesses Over Intel Management Engine Flaw


Intel has released a detection tool to help Linux and Windows users identify if their machine is vulnerable.

'These vulnerabilities affect essentially every business computer and server with an Intel processor released in the last two years, ' said Jay Little, a security engineer with cyber consulting firm Trail of Bits.

Considering the critical nature of these chip flaws, Intel has also shared a tool (external link) that will enable users to check if their systems are affected.

In all probability, it's the venerable operating system Minix, running on a shadowy subsystem called the Management Engine (ME) that's built into all recent Intel computers.

The company mentioned in detail that most severe of the issues were discovered by security researchers Mark Ermolov and Maxim Goryachy from Positive Technologies Research.

Acer has published a long list of affected models, including devices in its Aspire and TravelMate Spin range. Now, after several research groups have uncovered ME bugs, Intel has confirmed that those worst-case fears may be possible. Intel said that along with these, the Management Engine is also vulnerable to buffer overflows and other flaws that can be exploited for privilege escalation, local code execution, and remote code execution.

Intel Corporation (NASDAQ:INTC) said this week that just about all of its major computer processors produced over the past few years are affected by a massive security bug that could allow unauthorized access to sensitive system information.

The downsides of the Intel ME chips have already alarmed the security community. Many privacy activists, including Purism's security researchers, anxious that ME could be used as a backdoor.

In an update to its original advisory Intel said that its Intel NUC mini PC, Compute Stick, and Compute Card were affected.

The patch meant to fix these vulnerabilities will not be provided by Intel. This means that there will be no one solution for all devices and that devices can not be fixed all at once.

The U.S. government on Tuesday urged businesses to act on an Intel Corp alert about security flaws in widely used computer chips as industry researchers scrambled to understand the impact of the newly disclosed vulnerability. It is yet to determine when firmware updates will be available but will update the advisory when they're available.

In addition to Intel's warning, the US's Department of Homeland Security (DHS), also released a statement, which brought the security flaw to the attention of American citizens, and urged to install security updates for their devices as soon as it becomes available. Dell and Lenovo do not yet have patches available; Dell's ship dates for new firmware are to be determined, and Lenovo is hoping to have some new firmware available by November 23.