Critical Flaws in Computers Leave Millions of PCs Vulnerable

Here's my Jokebook:

 

It needs certain criteria to be satisfied as in this screenie:

 

You need this one: SA00086

 

View attachment 152247 C

@Papusan and @Dr. AMK - disabling the worthless Intel bloatware services makes the Clevo now reported as patched, LOL. @Prema might be interested in knowing this, too. If I re-enable those services and start them it is "vulnerable" again.

 

Again, see my post #97

 

Good find. I have it set to manual on every PCs I owned. Pretty much worthless. Only services from Intel, I allow running are HDCP services on Optimus/AMD Switchable graphics platforms.
Even with those services disabled, Intel MEI still can allow unauthorised users if MEI is affected again. Open cmd in admin mode and run MEIinfo in Discovery.GUI folder in Windows SA 0086.
Even IRST driver startup is pretty much not needed to run in background. Wastes 0.1-5% of CPU and battery.

 

MSI releasing a fix for this security flaw in their BIOS's:
https://www.gamersnexus.net/industry/3154-msi-releases-security-patch-for-intel-txe-vulnerability

MSI website is being hammered now, very slow to respond. My motherboard has not been patched yet, I browsed a few Z270 boards too, and they've not been patched yet either, a few Z370 motherboards seem presently patched though. I guess they'll filter the patches down from newest to oldest hardware, might have to wait a while for Z170 patch then!

 

I tried all of this, and still the same, after shutdown and turned on, it shows vulnerable, and those services not affecting the results. I think we need a FW patch, or maybe I need to install a fresh Windows to see if it will fix the issue.
Very strange behavior, once I uninstall the IME and reinstall it again it shows not vulnerable, once I shut it down and turned on it says vulnerable.
Still %50-50 between the Intel tool and the FW, not sure where is the issue come from.

 

Hi Bro. I think with the correct firmware and drivers (which you already have) there is nothing to be worried about. I think what we are seeing is, and the point of my posts before is to demonstrate, that it is inappropriate to rely on the assessment tool to evaluate whether or not your system is patched or vulnerable. The tool itself is not trustworthy and can be influenced by other services in reporting false information. In your case we know beyond the shadow of any doubt it is properly patched. We do not need the tool to confirm it, and the tool is hit or miss. Where the accuracy of the tool would matter most is on a system that does not have the correct firmware and drivers if it were to be reported as "patched" when it is still "vulnerable" and needing attention. Thankfully, we have not seen an example of that so far. The erroneous results are generating false alarms and unnecessary anxiety rather than a false sense of security.

 

only install the INF Driver bro not the bloated Intel Fruit Set Wireless app

 

oops

I'll do inf installation next time

 

www.win-raid.com

 

I normally do only the INF installation for Intel ME drivers. @Prema provided an installer version to test with. I had already tried both and had erroneous results from the previous version of the assessment tool using the installer or INF only. I will likely uninstall the installer bloatware version with Revo Uninstaller Pro and switch back to INF only. For now, these services are disabled and not doing anything their insane creators intended for them to do.

 

So, if those services restart, say after a Windows or driver update, or worse when existing or new MS scheduled scripts run to check the integrity of the services, "repair" disabled services, and then restart stopped services, that ME will be "vulnerable" again?

It sounds like that Intel test app is messed up. It shouldn't be checking for version numbers or notice services activity, since the actual hack is done out of band via the network or USB (so far), the test needs to be more thorough and verify the actual vulnerability.

 

Yeah, seems like they messed up to me, too. But, those services are gone now. I also figured out how to snuff out the XTU service (XTU was not installed). So, the only Intel service I need to remove now is the worthless and unnecessary ProSet LAN bloatware crap. (I haven't found an INF-only driver to eliminate the Windows feces yet.) The Intel Assessment Tool is consistently showing the system as patched with the services removed, same as when they were disabled.

 

http://forum.notebookreview.com/threads/important-security-update.811312/

Prema - Intel
10 - 0

 

@Prema FTW!

 

Intel ME FW Update Tool for GS43VR @steberg
http://forum.notebookreview.com/threads/intel-me-fw-update-tool-for-gs43vr.811446/

"MSI has released an update for ME firmware!
https://www.msi.com/Laptop/support/GS43VR-7RE-Phantom-Pro.html#down-bios

Intel® Management Engine Critical Firmware Update for Security Vulnerabilities (Intel SA-00086) Refer to the update guide to patch security vulnerabilities for your system."

 

Great news. Thanks for sharing. Now all we need is for the big name OEMs to release a patch that converts Windows 10 to Windows 7 and the world will be a better place. And, everyone's computers would be faster and more stable as an added bonus.

 

I don't understand why they are excluding 6th gen CPU models. For example my GT62VR doesn't have that tool shown on the support page but the one with 7th generation CPU has it. What the **** MSI? This is about security not some usual driver update that you can skip for "older" laptops.
I'd like to understand if i can install the one for 7th generation without having to deal with a bricked box

EDIT:

i just checked the FAQ:

2. Visit the product download page to download the latest BIOS and Intel ME update tool.
Estimated Release Date for the ME Update Tool:
- Intel 6th Generation Processor: TBD
- Intel 7th Generation Processor: Dec. 4th, 2017
- Intel 8th Generation Processor: Dec. 4th, 2017

 

I think they're prioritising patching newer models before the older ones. It's the same with the desktop motherboards - the Z370's are patched, but the Z270's & Z170's are waiting for a patch still - talking MSI motherboards here.

 

Yup, that's it probably. I just checked the FAQ.

 

When I try to run the patch on my GT73VR Titan Pro, this is what it gives me in the log:

 

I think I read that they're expecting Z170 patches sometime in January.

 

Lol, quality assurance team strikes again have they tested it at least?

 

Just sent them an email about this

When I run the .BAT file, it silently installs the Intel Management Engine Driver v11.7.0.1054 but doesn't actually update the BIOS ME Firmware

 

@Phoenix and @macmyc - did you guys try the @Prema ME update? Several people with the MSI 16L13 have used it and patched their MSI notebook.

 

no can you email it to me bro

 

I don't think BGA laptops will accept the ME FW update and Prema did warn the users not to try it. On mine the ME region is locked and only an OEM signature/special key can enable write access and prompt for successful flash. @Phoenix try running the MEitool in Discovery.GUI SA00086 vulnerability checker. See if the ME region is locked like mine as you see in the screenshot.

 

Still trying to patch my MSI desktop (Z370 A Pro) too. Every time I try to flash the bios with the new bios that constains the ME patch, it acts as if there is no file in M-flash? But that was yesterday, and today is a new day! We shall see when I get home from work.

 

Those that are using a Svet BIOS can most likely unlock the ME region using the tool he provides for flashing his BIOS mod. It should work for a stock BIOS as well, but you would need his MSI ME unlocker to do it. Anyone that is desperate and concerned about the ME update that owns an MSI notebook might be able to get his assistance with a donation.

Really silly and unethical how much MSI and Dell lock their crap down to the point where normal maintenance like this is not possible.

 

I think its good to be locked down because any malware will be contained like a prison. I am looking to remove IMEI from the system using ME Cleaner.

 

I never think having anything locked is a good idea. I'd rather take my chances with malware and have control over everything. I do not appreciate it at all when a company makes decisions for me. I despise them for it. If it is my machine, they have no right to decide what I can or cannot do with it. It's none of their business. I might not be as hateful toward them if they provided a way for system owners to turn it off at will, but they do not because they are malicious control freaks. Their behavior demonstrates it is all about control for them, and they are just trying to fake us all out by touting it as "security" measures. Baloney.

 

@Mr. Fox @macmyc

I just read the instructions again, it instructs us to revert BIOS to defaults first so I did that, then changed back to RAID from AHCI and tried again, the ME Firmware upgraded smoothly:

 

FYI From @mkinasz:
http://forum.notebookreview.com/thr...vidia-gtx-1080s.794897/page-189#post-10644084

"Looks like MSI posted an update to the Intel Management Engine (Intel ME FW Update Tool) which fixes issue Intel SA-00086. Article: https://www.theregister.co.uk/2017/11/20/intel_flags_firmware_flaws
Here is a link to the vulnerability detection tool. https://downloadcenter.intel.com/download/27150
After patching I show clean.
"

 

That's great news. @KY_BULLET will be glad to see this.

Tonight is a good night. In addition to that good news, I also resurrected the DM-G from an experimental BIOS that bricked it. Programmers are so awesome. Don't know how I lived so many years without one. Like godmode on steroids.

 

And Intel continue updating their detetion Tool. Now in 3rd version @tilleroftheearth Intel-SA-00086 Detection Tool Version: 1.0.0.146 (Latest) Date: 12/7/2017
Flawed firmware. And the detection Tool to see if you have their ****y ain't much better.

 

Are they trying to hack the MEI themselves or even threaten users will updates every week or month. Atleast they could have given generic ME FW for all affected PCs.

 

Amazing they needed 3 updates in short while for their detection Tool. When will Version 4 come?

 

Guys don't delete the older tool from SA00086 because Intel removed their MEINFO.exe and other dlls in newer version.

 

They removed additional dlls and MEINFO from older release they rushed the update and export their project solution to us, which is really beneficial hahaa. Atleast I have a working MEINFO which says everything about the ME.

 

Hmm... where is the ME update? After a closer look, the link goes to an article about the problem and not an actual ME Update from MSI.

 

Its removed and you need to type your model no. of MSI laptop and get the FW update.

 

http://forum.notebookreview.com/thr...vidia-gtx-1080s.794897/page-189#post-10644084

@mkinasz was giving a heads up to look for your own laptop model, his model's support page has the BIOS update ready:

SUPPORT FOR GT83VR 7RE TITAN SLI
https://www.msi.com/Laptop/support/GT83VR-7RE-Titan-SLI

Under Support -> BIOS:
Title - BIOS
Version E1815IMS.30C
Release Date 2017-12-04
File Size 5.07 MB

Title - Intel ME FW Update Tool
Release Date 2017-12-01
File Size 75.66 MB
Description
Intel® Management Engine Critical Firmware Update for Security Vulnerabilities (Intel SA-00086)
Refer to the update guide to patch security vulnerabilities for your system."

You'll need to look it up for your model, if you have an MSI 16L13, I assume your vendor will be able to get you an update, not sure if MSI is transparent with support files for their whitebox products - I haven't seen an end user accessible support area for the MSI 16L13, please post it if you find one.

 

Prema's FW update tool works on any supported Clevo.

 

MSI's 16L13 isn't a Clevo, it's an MSI whitebox laptop that boutique vendors gussy up for delivery to end users. Usually the vendor has a support download page for drivers, app updates, and firmware.

IDK if @Prema is going to offer an Intel ME patch for the MSI 16L13 as he did for the Clevo's...

 

@Prema’s ME patch work on MSI 16L13

 

@Mr. Fox mine is still not there. ...Everything with 11/10/2017, is the older updates. Like I said before, that was yesterday and today is a new day lol

https://us.msi.com/Desktop/support/Codex-XE#down-driver&Win10 64

 

@Papusan....I'm thinking about saying the hell with it and trying it. That kinda scared me when Prema said in the original security risk post "Next week you will want your system patched if you plan on going online". Or something like that.

 

Yeah, as mentioned @Prema already did. It's unfortunate that MSI provides such horrible support for the world's most powerful 15-inch notebook. They've really never provided any outwardly visible support for it and treat it like a red-headed stepchild. If they were really smart, it would carry their own branding and be treated as the royal beast it deserves to be treated like.

Interesting they haven't gotten to it yet considering it is current generation. Does that desktop have a common motherboard in it, or a proprietary motherboard made for it only? Maybe pull the side panel and look for some model info on the board itself. If it is a common production motherboard, check the motherboard support page.

Considering your desktop has Z370 and 8700K, might as well. There is nothing magical or brand/model specific about the ME firmware in terms of being a pre-requisite. The OEM might tweak it to do some backdoor branding, but otherwise it is all the same version of the same ME. The danger in flashing has more to do with compatibility with the original version, and your desktop is not old enough for that to be an issue. I flashed my ASUS ROG Maximus X Hero (WI-FI AC) motherboard with a generic version from Win-RAID before ASUS released an update. As long as MSI did not do something retarded to block the flash as they have done with the cancerware on many laptops, if should work just fine. There is always an element of risk when flashing any kind of firmware, so being flippant isn't recommended.