This site may earn affiliate commissions from the links on this page. Terms of use.

8th Gen Intel Core S-series Die

Intel has best-selling and patched a new suite of security problems affecting its Intel Management Engine. This subsystem controls many low-level capabilities of the SoC, and tin can exist used for features like remote access and Intel'due south Trusted Execution Engine. The visitor has released a list of ten vulnerabilities across multiple products that are addressed by recent driver updates. Potentially affected systems include:

  • 6th, 7th & 8th Generation Intel® Core™ Processor Family
  • Intel® Xeon® Processor E3-1200 v5 & v6 Product Family
  • Intel® Xeon® Processor Scalable Family unit
  • Intel® Xeon® Processor W Family unit
  • Intel® Atom® C3000 Processor Family
  • Apollo Lake Intel® Atom Processor E3900 series
  • Apollo Lake Intel® Pentium™
  • Celeron™ N and J serial Processors

That's Intel'southward entire product line dating back to the introduction of Skylake. According to Intel, attackers could impersonate the Intel Management Engine, Server Platform Services, and/or the Trusted Execution Engine, load and execute arbitrary code without the user or Bone being aware of it, and destabilize or crash a system altogether.

Intel'southward admission of multiple vulnerabilities is likely to heighten eyebrows, given the company'due south previous behave regarding IME. Intel goes to nifty lengths to hibernate exactly how IME works and there's no way for the master x86 chip to fifty-fifty snoop on what the IME is doing (the IME has previously run on an embedded 32-bit Argonaut RISC core, though information technology'southward not clear if this is still the case). This means there's effectively a 2nd operating arrangement running on every single Intel processor, and there's no manner for the user to control it or shut it off (disabling the IME on a motherboard with IME enabled volition result in a non-booting system until the capability is re-enabled). While a research team did find a way to plough the function off by setting a single bit, they annotation that actually doing so could permanently brick a arrangement. Also, it doesn't work until the system has actually booted and the main CPU has started. As of this writing, Intel has not offered a safe, reliable method for anyone to disable the Intel Management Engine.

IME-Features

Some of the IME'due south capabilities

We've really been finding out more nearly the IME in the past year than in the concluding half-decade. A Google software engineer recently confirmed that the system runs the MINIX 3 operating organisation. Google has reportedly been trying to replace proprietary firmware in its own servers, and the Intel IME has been a stumbling block to that process. Intel has released a detection tool so y'all can check to see if your system is affected by these issues. Updates volition have to be issued by firmware vendors, notwithstanding, so fifty-fifty if your system is impacted it may not receive a set in the near future.