Critical Flaws in Computers Leave Millions of PCs Vulnerable

@Mr. Fox ...It has the Z370 A Pro Mobo. I went to the support page and tried to do the update they have posted for it but my machine wouldn't take it. It wouldn't even recognize it. Good thing because the guys over on MSI forums said it would bricked my machine had I flashed it with that Bios.

 

Hmm. So sorry to hear that. That's really stupid of them. If it has essentially what amounts to a generic motherboard in it, those bastards must have done something malicious to it to make it a proprietary revision. That so terribly wrong of them. It raises all sorts of questions in my mind what else they might have done to cripple it and make it proprietary. Sounds like one of Dell's stupid stunts. They do the same kind of ignorant crap to their desktops. Having a proprietary control freak abortion largely defeats one of the greatest advantages to owning a desktop instead of a laptop. I intentionally avoided the inclusion of any MSI components in my desktop because of some of the unforgivable retarded nonsense I have seen them do on their laptops, including the mighty little 16L13. I have no use for cancer monkeys that behave that way. For exactly the same reason, it is extremely unlikely I will never allow any emasculated garbage from Dell or HP to darken my desk ever again.

 

what the password for the ME tool downloads? couldn't find it on prema's site.

 

Its premamod.com
Strictly applicable only to Clevo laptops and not others.

 

MSI motherboard update news. I've been through all the Z270 boards they offer and about 3/4 of them are patched for the latest vulnerability. Still none of the Z170 boards patched yet.

 

My Z370 Codex XE patch still isnt available as of last night.

 

it says this desktop I just traded for is vunerable I downloaded the patch from asus ran it and it did absolutely nothing :-/..... but I am behind a Cisco small bis firewall should I even worry about this?

 

Maybe it's because you're running a custom BIOS and the patch can't apply correctly because of that, just a thought?

 

well as far as the system knows its made by Asus, I think its because I uninstalled the MEI driver

 

Yeah, I'd put it back to 'stock' as close as you can & then try again.

 

Before the update... Intel MEI Driver v11.7.0.1045 (Windows 8 & Windows 10) INF for manual installation. Don't install the bloated version.

 

So only one inf is enough to update MEI, so what's extra baggage that OEM driver contains putting aside the Intel installer?

 

You can use both the installer and INF for manual installation. Bloatware will never do any good for you. At least use the MEI only installer. Not the fully Package. The point is use latest driver before flashing new firmware

 

Any chance you could upload that for us?

 

Haven't v1.0.0.135 but here is the first SA00086 v1.0.0.128 - www.virustotal.com

 

Here is the file

 

MSI Has just released it for the GT72-6Q series and it worked, flashing was very quick as well. I am quite shocked they released an update.

 

So MSI has finally added the firmware update for 6th generation CPUs but they didn't care about updating the Intel ME driver, so the version available to me is 11.6.0.1015 (Package_11.6.0.1117) (which is the one i have installed), intel minimum requirements is Intel® ME 11.8.50.3399 as written here, would it be safe to update with my current version tested by MSI or go and update as Intel recommends and then install the FW update?

 

It's better to update Intel ME before the FW update.

 

Well i have made a bit of confusion here. That version was for Intel ME Firmware and not the driver.
I have updated successfully without touching the ME driver and now the detection tool says my system is patched. Thank you anyway

 

For some reason MSI released a new Intel Management Engine Driver for my motherboard, but they haven't released a new BIOS:
https://www.msi.com/Motherboard/support/Z170A-KRAIT-GAMING-3X.html#down-driver&Win10 64
After updating to that latest Intel ME driver above my system is still showing vulnerable, I'm guessing it's the firmware that needs to be patched rather than the software, but as to why they've released a new Intel ME driver - who knows!

 

Congratulations, you are welcome.

 

Here we go... Version 4 Intel-SA-00086 Detection Tool Version: 1.0.0.152 (Latest) Date: 12/19/2017
When will the 5 version come?

 

All my Clevo laptops still vulnerable until now. I tried everything .
2 laptops EVOC P870DM3 + 1 P750ZM

 

Try Prema bhai's MEI FW update.

 

Have you tried in safe mode by reverting to BIOS defaults and flashing the FW. Disable AVs, Windows Update and BITS services too.

 

Good idea, will try it and see what will happen, thanks for your kind support.

 

The new one work as well. Odd

 

Lucky you as always my friend...

 

You might the full MEI suite to get rid of obsolete message. Install the full suite from Clevo and afterwards uninstall the MEI suite using revo to remove the MEI service spywares.

 

I don't run the tool 24/7/365. Or use the pict as wallpaper So the obsolete message, doesn't bother me at all. The important message is "painted" in Green

 

Its better to run full MEI suite from Intel and atleast avoid possible riskware from Intel.

 

U.S. government warns about cyber bug in Intel chips
NOVEMBER 21, 2017 / 4:24 PM
https://www.reuters.com/article/us-...-about-cyber-bug-in-intel-chips-idUSKBN1DM01R

"The U.S. government on Tuesday urged businesses to act on an Intel Corp alert about security flaws in widely used computer chips as industry researchers scrambled to understand the impact of the newly disclosed vulnerability.

The Department of Homeland Security gave the guidance a day after Intel said it had identified security vulnerabilities in remote-management software known as “Management Engine” that shipped with eight types of processors used in business computers sold by Dell Technologies Inc, Lenovo Group Ltd, HP Inc, Hewlett Packard Enterprise Co and other manufacturers.

Security experts said that it was not clear how difficult it would be to exploit the vulnerabilities to launch attacks, though they found the disclosure troubling because the affected chips were widely used.

“These vulnerabilities affect essentially every business computer and server with an Intel processor released in the last two years,” said Jay Little, a security engineer with cyber consulting firm Trail of Bits.

For a remote attack to succeed, a vulnerable machine would need to be configured to allow remote access, and a hacker would need to know the administrator’s user name and password, Little said. Attackers could break in without those credentials if they have physical access to the computer, he said.

Intel said that it knew of no cases where hackers had exploited the vulnerability in a cyber attack.

The Department of Homeland Security advised computer users to review the warning from Intel, which includes a software tool that checks whether a computer has a vulnerable chip. It also urged them to contact computer makers to obtain software updates and advice on strategies for mitigating the threat. ( bit.ly/2zqhccw)

Intel spokeswoman Agnes Kwan said the company had provided software patches to fix the issue to all major computer manufacturers, though it was up to them to distribute patches to computers users.

Dell’s support website offered patches for servers, but not laptop or desktop computers, as of midday Tuesday. Lenovo offered fixes for some servers, laptops and tablets and said more updates would be available Friday. HP posted patches to its website on Tuesday evening.

Security experts noted that it could take time to fix vulnerable systems because installing patches on computer chips is a difficult process.

“Patching software is hard. Patching hardware is even harder,” said Ben Johnson, co-founder of cyber startup Obsidian Security."

 

Intel Management Engine pwned by buffer overflow
Security researchers lift lid on snafu at Black Hat Europe
By Thomas Claburn in San Francisco 6 Dec 2017 at 16:30
https://www.theregister.co.uk/2017/12/06/intel_management_engine_pwned_by_buffer_overflow/

"On Wednesday, in a presentation at Black Hat Europe, Positive Technologies security researchers Mark Ermolov and Maxim Goryachy plan to explain the firmware flaws they found in Intel Management Engine 11, along with a warning that vendor patches for the vulnerability may not be enough."

Spoiler: Details...

Two weeks ago, the pair received thanks from Intel for working with the company to disclose the bugs responsibility. At the time, Chipzilla published 10 vulnerability notices affecting its Management Engine (ME), Server Platform Services (SPS), and Trusted Execution Engine (TXE).

The Intel Management Engine, which resides in the Platform Controller Hub, is a coprocessor that powers the company's vPro administrative features across a variety of chip families. It has its own OS, MINIX 3, a Unix-like operating system that runs at a level below the kernel of the device's main operating system.

It's a computer designed to monitor your computer. In that position, it has access to most of the processes and data on the main CPU. For admins, it can be useful for managing fleets of PCs; it's equally appealing to hackers for what Positive Technologies has dubbed "God mode."

The flaws cited by Intel could let an attacker run arbitrary code on affected hardware that wouldn't be visible to the user or the main operating system. Fears of such an attack led Chipzilla to implement an off switch, to comply with the NSA-developed IT security program called HAP.

But having identified this switch earlier this year, Ermolov and Goryachy contend it fails to protect against the bugs identified in three of the ten disclosures: CVE-2017-5705, CVE-2017-5706, and CVE-2017-5707.

The duo say they found a locally exploitable stack buffer overflow that allows the execution of unsigned code on any device with Intel ME 11, even if the device is turned off or protected by security software.

They claim to have employed a generic technique to bypass the stack canary, a value written to memory to catch overflows via change detection, thereby allowing them to run executable code using Return Oriented Programming.

Though the vulnerabilities require local access to an affected machine or the credentials to access the machine through a remote IT management system, an Active Management Technology (AMT) flaw disclosed by Intel in May raises the possibility of a remote attack.

"Given the massive penetration of devices with Intel chips, the potential scale for attacks is big, everything from laptops to enterprise IT infrastructure is vulnerable," the pair said in a statement emailed to The Register.

"Such a problem is very hard to resolve – requiring a manufacturer to upgrade firmware, and attackers exploiting it may be just as difficult to detect."

Dino Dai Zovi, co-founder and CTO of security biz Capsule8, in an email to The Register, said the most troubling aspect of the research is that it may be exploited without the need to open the target system's enclosure.

"This is not a huge impediment to an attacker with physical access, but as some laptops have case tamper switches, it is able to bypass that protection," he said.

Ermolov and Goryachy contend patches for the flawed hardware related to CVE-2017-5705, CVE-2017-5706, and CVE-2017-5707 don't preclude the possibility of exploitation because an attacker with access to the ME-region firmware can overwrite it with a vulnerable version for exploitation.

"Writing an older version of the ME firmware typically requires either writing to the flash chip directly or taking advantage of weak BIOS protections, which would depend on the vendor's particular configuration," said Dai Zovi.

The US government's concern about ME exploitation has made it to the private sector. Hardware vendors Dell, Purism, and System76 are now offering gear with Intel's ME disabled. And Google has been working on NERF (Non-Extensible Reduced Firmware), an open source software system based on u-root that replaces UEFI and the Intel ME with a small Linux kernel and initramfs (which mount the root file system).

Dai Zovi observed that in addition to these vendor options, "the security community has responded to distrust of the ME by developing a number of open source projects to disable it," such as me_cleaner and Heads.

Asked whether Intel has any plans to alter the way its Management Engine works or to offer chips without the ME, a company spokesperson suggested such requests should be directed to hardware vendors.

"The Management Engine (ME) provides important functionality our users care about, including features such as secure boot, two-factor authentication, system recovery, and enterprise device management," the spokesperson said.

"System owners with specialized requirements should contact the equipment manufacturers for this type of request. However, since any such configuration necessarily removes functionality required in most mainstream products, Intel does not support such configurations." "

 

Intel® Management Engine Critical Firmware Update (Intel-SA-00086)
Last Reviewed: 26-Dec-2017 (most recent updates)
Article ID: 000025619
https://www.intel.com/content/www/us/en/support/articles/000025619/software.html

Spoiler: Details

Intel® Management Engine (Intel® ME 6.x/7.x/8.x/9.x/10.x/11.x), Intel® Trusted Execution Engine (Intel® TXE 3.0), and Intel® Server Platform Services (Intel® SPS 4.0) vulnerability (Intel-SA-00086)

In response to issues identified by external researchers, Intel has performed an in-depth comprehensive security review of the following with the objective of enhancing firmware resilience:

• Intel® Management Engine (Intel® ME)
• Intel® Trusted Execution Engine (Intel® TXE)
• Intel® Server Platform Services (SPS)

Intel has identified security vulnerabilities that could potentially impact certain PCs, servers, and IoT platforms.

Systems using Intel ME Firmware versions 6.x-11.x, servers using SPS Firmware version 4.0, and systems using TXE version 3.0 are impacted. You may find these firmware versions on certain processors from the:

• 1st, 2nd, 3rd, 4th, 5th, 6th, 7th, and 8th generation Intel® Core™ Processor Families
• Intel® Xeon® Processor E3-1200 v5 and v6 Product Family
• Intel® Xeon® Processor Scalable Family
• Intel® Xeon® Processor W Family
• Intel Atom® C3000 Processor Family
• Apollo Lake Intel Atom® Processor E3900 series
• Apollo Lake Intel® Pentium® Processors
• Intel® Pentium® Processor G Series
• Intel® Celeron® G, N, and J series Processors

To determine if the identified vulnerabilities impact your system, download and run the Intel-SA-00086 Detection tool using the links below.

Frequently Asked Questions Section

Available resources

• Intel official security advisory: Technical details on the vulnerability

Resources for Microsoft and Linux* users

• Intel-SA-00086 Detection Tool

Note Versions of the INTEL-SA-00086 Detection Tool earlier than 1.0.0.146 did not check for CVE-2017-5711 and CVE-2017-5712. These CVEs only affect systems with Intel® Active Management Technology (Intel® AMT) version 8.x-10.x. Users of systems with Intel AMT 8.x-10.x are encouraged to install version 1.0.0.146, or later. Installing this version helps to verify the status of their system with regard to the INTEL-SA-00086 Security Advisory. You can check the version of the INTEL-SA-00086 Detection Tool by running the tool and looking for the version information in the output window.

Resources from system/motherboard manufacturers

Note Links for other system/motherboard manufacturers will be provided when available. If your manufacturer is not listed, contact them for information on the availability of the necessary software update.

• Acer: Support Information
• ASRock: Support Information
• ASUS: Support Information
• Compulab: Support Information
• Dell Client: Support Information
• Dell Server: Support Information
• Fujitsu: Support Information
• Getac: Support Information
• GIGABYTE: Support Information
• HP Inc.: Support Information
• HPE Servers: Support Information
• Intel® NUC, Intel® Compute Stick, and Intel® Compute Card: Support Information
• Intel® Servers: Support Information
• Lenovo: Support Information
• Microsoft Surface*: Support Information
• MSI: Support Information
• NEC: Support Information
• Oracle: Support Information
• Panasonic: Support Information
• Quanta/QCT: Support Information
• Supermicro: Support Information
• Toshiba: Support Information
• Vaio: Support Information
• Wiwynn: Support Information

Intel Customer Support to submit an online service request.

This article applies to:
Active Products

Intel® Server Platform Services Firmware
Intel® Management Engine
Intel® Trusted Execution Technology (Intel® TXT)

 

Get These Laptops With Intel ME Chip Disabled From Dell, System76, And Purism
December 5, 2017
https://fossbytes.com/laptops-intel-me-chip-disabled/


"The Intel ME chip which recently became popular is giving sleepless nights to the security community and PC users around the world.

Why? Because the vulnerabilities in the Management Engine chip, running a closed source variant of MINIX OS, can allow attackers to take complete control of a system without the users noticing.

What now? Several PC manufacturers have tried to take advantage of the situation and made attempts to build user trust by offering laptops with Intel ME chip disabled. Yes, probably the chips can be disabled through a feature designed to leave the management engine inoperable on machines purchased by government bodies.

Dell Laptops With Intel ME chip disabled
The American PC manufacturer Dell is willing to disable the vulnerable Intel chip on selected machines if the user is willing to pay $20 fee (spotted by a Reddit user).

You can disable the chip on Dell’s New Latitude 14 Rugged Laptop. Visit the product page and choose “Intel vPro – ME Inoperable, custom order” which will increase the bill amount by $20.92.

The other Dell machines include Latitude 15 E5570 laptop and Latitude 12 Rugged Tablet.

Purism Laptops with Intel ME chip disabled
Purism was probably the first company to announce that their Librem series laptops would come with the Management Engine disabled out of the box. For the Laptops released in the recent past, the company is providing the same via software update. It was a little bit difficult for Purism as their laptops run the open source firmware ‘coreboot’.

You can find Librem13 and Librem 15 shipping with ME firmware disabled at this product page.

System76 Laptop with Intel ME chip disabled
Unlike Dell, System76 is offering to turn off the ME chip on all of their new machines. In a blog post, the company provides the list of all affected laptops.

They have released an open source tool which can be used to disable ME chip on all of their laptops. Users can download the tool from this GitHub page."

 

Intel shares fall as investors worry about costs of chip flaw

Intel says performance impact of security updates not significant

 

Yeah not significant at all because you will be forced to buy new and better CPUs with security first approach which costs/adds 20% extra price.
If they publicly say its affected, everybody will switch to slower AMD CPU which has near zero risk.

 

Microsoft Releases Patches for 16 Critical Flaws, Including a Zero-Day


If you think that only CPU updates that address this year's major security flaws—Meltdown and Spectre—are the only ones you are advised to grab immediately, there are a handful of major security flaws that you should pay attention to.

Microsoft has issued its first Patch Tuesday for 2018 to address 56 CVE-listed flaws, including a zero-day vulnerability in MS Office related that had been actively exploited by several threat groups in the wild.

Sixteen of the security updates are listed as critical, 38 are rated important, one is rated moderate, and one is rated as low in severity. The updates address security flaws in Windows, Office, Internet Explorer, Edge, ChakraCore, ASP.NET, and the .NET Framework.


The zero-day vulnerability (CVE-2018-0802), described by Microsoft as a memory corruption flaw in Office, is already being targeted in the wild by several threat actor groups in the past few months.

The vulnerability, discovered by several researchers from Chinese companies Tencent and Qihoo 360, ACROS Security's 0Patch Team, and Check Point Software Technologies, can be exploited for remote code execution by tricking a targeted user into opening a specially crafted malicious Word file in MS Office or WordPad.

According to the company, this security flaw is related to CVE-2017-11882—a 17-year-old vulnerability in the Equation Editor functionality (EQNEDT32.EXE), which Microsoft addressed in November.

When researchers at 0Patch were analysing CVE-2017-11882, they discovered a new, related vulnerability (CVE-2018-0802). More details of CVE-2018-0802 can be found in a blog post published by Check Point.

Besides CVE-2018-0802, the company has addressed nine more remote code execution and memory disclosure vulnerabilities in MS Office.

A spoofing vulnerability (CVE-2018-0819) in Microsoft Outlook for MAC, which has been listed as publicly disclosed (Mailsploit attack), has also addressed by the company. The vulnerability does not allow some versions Outlook for Mac to handle the encoding and display of email addresses properly, causing antivirus or anti-spam scanning not to work as intended.


Microsoft also addressed a certificate validation bypass vulnerability (CVE-2018-0786) in .NET Framework (and .NET Core) that could allow malware authors to show their invalid certificates as valid.

"An attacker could present a certificate that is marked invalid for a specific use, but the component uses it for that purpose," describes Microsoft. "This action disregards the Enhanced Key Usage taggings."

The company has also patched a total of 15 vulnerabilities in the scripting engine used by Microsoft Edge and Internet Explorer.

All these flaws could be exploited for remote code execution by tricking a targeted user into opening a specially-crafted webpage that triggers a memory corruption error, though none of these has been exploited in the wild yet.

Meanwhile, Adobe has patched a single, out of bounds read flaw (CVE-2018-4871) this month that could allow for information disclosure, though no active exploits have been seen in the wild.

Users are strongly advised to apply October security patches as soon as possible to keep hackers and cybercriminals away from taking control of their computers.

For installing security updates, simply head on to Settings → Update & security → Windows Update → Check for updates, or you can install the updates manually.

 

Still haven't received the updates for Meltdown and these new patches, is there anything i can do before getting them from the catalog?

 

For installing security updates, simply head on to Settings → Update & security → Windows Update → Check for updates, or you can install the updates manually.

 

Uninstall your antivirus, update Windows via Windows update, reinstall the antivirus.

 

New Intel AMT Security Issue Lets Hackers Gain Full Control of Laptops in 30 Seconds

It's been a terrible new-year-starting for Intel.

Researchers warn of a new attack which can be carried out in less than 30 seconds and potentially affects millions of laptops globally.

As Intel was rushing to roll out patches for Meltdown and Spectre vulnerabilities, security researchers have discovered a new critical security flaw in Intel hardware that could allow hackers to access corporate laptops remotely.

Finnish cyber security firm F-Secure reported unsafe and misleading default behaviour within Intel Active Management Technology (AMT) that could allow an attacker to bypass login processes and take complete control over a user's device in less than 30 seconds.

AMT is a feature that comes with Intel-based chipsets to enhance the ability of IT administrators and managed service providers for better controlling their device fleets, allowing them to remotely manage and repair PCs, workstations, and servers in their organisation.


The bug allows anyone with physical access to the affected laptop to bypass the need to enter login credentials—including user, BIOS and BitLocker passwords and TPM pin codes—enabling remote administration for post-exploitation.

In general, setting a BIOS password prevents an unauthorised user from booting up the device or making changes to the boot-up process. But this is not the case here.

The password doesn't prevent unauthorised access to the AMT BIOS extension, thus allowing attackers access to configure AMT and making remote exploitation possible.

Although researchers have discovered some severe AMT vulnerabilities in the past, the recently discovered issue is of particular concern because it is:

• easy to exploit without a single line of code,
• affects most Intel corporate laptops, and
• could enable attackers to gain remote access to the affected system for later exploitation.

"The attack is almost deceptively simple to enact, but it has incredible destructive potential," said F-Secure senior security researcher Harry Sintonen, who discovered the issue in July last year."In practice, it can give a local attacker complete control over an individual’s work laptop, despite even the most extensive security measures."According to the researchers, the newly discovered bug has nothing to do with the Spectre and Meltdownvulnerabilities recently found in the microchips used in almost all PCs, laptops, smartphones and tablets today.

Here's How to Exploit this AMT Issue

To exploit this issue, all an attacker with physical access to a password (login and BIOS) protected machine needs to do is reboot or power-up the targeted PC and press CTRL-P during boot-up, as demonstrated by researchers at F-Secure in the above video.

The attacker then can log into Intel Management Engine BIOS Extension (MEBx) with a default password.


Here, the default password for MEBx is "admin," which most likely remains unchanged on most corporate laptops.

Once logged in, the attacker can then change the default password and enable remote access, and even set AMT's user opt-in to "None."

Now, since the attacker has backdoored the machine efficiently, he/she can access the system remotely by connecting to the same wireless or wired network as the victim.

Although exploiting the issue requires physical access, Sintonen explained that the speed and time at which it can be carried out makes it easily exploitable, adding that even one minute of a distraction of a target from its laptop is enough to do the damage.
"Attackers have identified and located a target they wish to exploit. They approach the target in a public place—an airport, a café or a hotel lobby—and engage in an 'evil maid' scenario," Sintonen says."Essentially, one attacker distracts the mark, while the other briefly gains access to his or her laptop. The attack doesn't require a lot of time—the whole operation can take well under a minute to complete."Along with CERT-Coordination Center in the United States, F-Secure has notified Intel and all relevant device manufacturers about the security issue and urged them to address it urgently.

Meanwhile, users and IT administrators in an organisation are recommended to change the default AMT password of their device to a strong one or disable AMT if this option is available, and never leave their laptop or PC unattended in a public place.

 

This has been known for years by corporations, and it is usually set just like the administrator BIOS lockout password. This isn't new.

Most laptops aren't set up with this, it's limited to laptops destined for corporations, and they know about this - or should - if they don't it's an exceptional lapse, but then that corporation is likely missing other things too.

It would look new to people that don't administer corporate laptops that need this remote access / control of their assets, but it has been this way for many years.

The current security frenzy is such that things like this will make the news where normally someone would catch it and say "hey man, this isn't new"

 

I think you are right, the new thing is only that many people don't know about it, including me .

 

You're not the only one, @Papusan posted it in the Meltdown / Spectre thread too:

CPU Vulnerabilities, Meltdown and Spectre, Kernel Page Table Isolation Patches, and more
http://forum.notebookreview.com/thr...patches-and-more.812424/page-56#post-10663730

 

The using of a bios to lock out authorized users is well known. This can happen with ANY system not already secured.

 

How to enable or disable the Meltdown and Spectre Patches

 

No news here on one of NBR's hot threads? Oh'well, here we go Skyfall and Solace Could be the First Attacks Based on Meltdown and Spectre?
"Out of the blue, a website popped up titled "Skyfall and Solace," which describes itself as two of the first attacks that exploit the Spectre and Meltdown vulnerabilities (it doesn't detail which attack exploits what vulnerability)."

 

Important — DO NOT install Intel's security patches for #Spectre and #Meltdown chip vulnerabilities, Intel warns of 'unwanted' reboot issue. Wait for new patches.

Read More ➤ https://thehackernews.com/2018/01/intel-meltdown-spectre-patch.html

Linux creator Torvalds calls Intel patches "complete and utter garbage." https://twitter.com/TheHackersNews/status/955771548702359552/photo/1