IMPORTANT SECURITY UPDATES!

Bigger phone is always the best approach. Phablets all the way, man. Small phones suck for some of the same reasons that small laptops suck. Go big, or go home.

 

You sure?

Spoiler: Go BIG, or go home... YEES.

 

THX @Phoenix Updated the OP with the latest driver. User can just scroll through the tabs at station drivers, to see if there is any newer version. Though for the update procedure itself it doesn't really matter to be on the latest driver.

 

Updated two of my P650RP6-G machines today (1 left to go). I ran into a couple of issues (non-fatal) which may be useful.

Couple of issues I ran into:

1. HDMI stopped working on one machine after patching and rebooting (HDMI monitor was plugged in while I ran the update). Updating drivers didn't work, DDU didn't work, tried multiple HDMI cables and multiple HDMI monitors. Even a Linux LiveCD wouldn't initialise the HDMI port properly.
   FIX/Workaround: Turns out it's a BIOS/Firmware related bug. Likely something to do with loading the GPU's EFI rom. The solution was to Boot into DXHYBRID mode, then reboot back to DISCRETE. I'm assuming this causes a full EFI rom reload. Alternatively, I believe the FN+D boot wipe or resetting the CMOS battery would achieve the same thing.
   
   
2. The Clevo Control Center seemed to interfere with my first attempt to patch one of the machines. Running the patch would result in getting stuck in the "updating..." loop. I noticed that "rerun.exe" included with the Hotkey/CC utility was constantly running in a loop and seemed to be stopping the ME patch from installing..
   FIX/Workaround:I killed the "rerun.exe" process, killed the ME patcher, killed all hotkey related processes, then ran the ME vulnerability checker to confirm that the patch was NOT applied. Then re-ran the patcher as Administrator and successfully patched.

Either way no big deal, but just in case any body runs into similar issues there's some fixes.

Big thank you to @Prema of course

EDIT: 2017/12/6 Looks like HDMI is still being a bit weird. It doesn't automatically initialise HDMI on boot. Unplugging/replugging sorted it though. I'll have to try the FN+D wipe as well to get any other gremlins out of the system.

 

Just wanted to add that my PowerSpec 1710 shipped vulnerable, and that the Prema patch worked as intended, TY Prema!

 

Ran detection tool on Haswell system in sig. Not vulnerable.

 

It's nice to see there's some old beasties still on this site, and I'm remembered.

 

@Prema Unfortunately, I've run into a problem with my P750DM-G.

I get this error in the log:

Error 8719: Firmware update cannot be initiated because Local Firmware update is disabled

It's running BIOS 1.05.03, EC 1.05.01. Tried installing various versions of the ME driver to no effect.

I suspect that due to it being an old BIOS that the ME flashing is disabled. Any thoughts? I'm guessing a new BIOS is in order.

 

Just wanted to chime in to say that the patch works on my Sager NP8952 (CLEVO P950HR)

Thank you Prema!

 

The way Dell prefer to do it when they update new firmware (Security enhancement - Maybe for the known ME bugs - Or will there come a new nice mickey 12/11/2017 (MEFW Update) aka 5C more? TRIPOD ain't enough. Must make it worse with firmware!!

 

So, I got a new BIOS rev (1.05.15) for my P750DM-G and the METool still fails with:
"Error 8719: Firmware update cannot be initiated because Local Firmware update is disabled"

Any ideas?

 

Hey @Mr. Fox, you think I should be able to patch my MSI desktop with this patch? I was thinking it was only for Clevo machines but seems that it doesn't matter what machine the "Affected Intel chip and ME firmware" is in that the patch is CPU/ME related only.

Thanks,
Charlie

 

There is always a risk, Charlie. It worked great for several guys with a 16L13. I think the kicker has to do with your current ME version, and whether or not the MSI firmware blocking crap will even let you have access to it. Maybe post your current ME firmware version and @Prema can comment on whether or not using it is a greater risk than normal, or not recommended.

 

I believe I'm on 11.7.1043 was on 11.7.1035 but might be the other way around. I will chck when i get home tonight. Either or, both are vulerable.

Thanks,
Charlie

Edit...come to think of it, I went on Intel's site and got on 11.7.1043 thinking it might fix it but...nope. So I reverted back to MSI's current ME driver 11.7.1035. So im pretty sure thats where im at right now. 11.8.xxxx is where I need to be I think.

 

And Intel continue updating their detetion Tool. Now in 3rd version Intel-SA-00086 Detection Tool Version: 1.0.0.146 (Latest) Date: 12/7/2017
Flawed firmware. And the detection Tool ain't much better.

 

Here is what I have right now.

 

Try this... http://forum.notebookreview.com/thr...f-pcs-vulnerable.810994/page-14#post-10644138

 

i get Error 8771: Invalid File in the log file.

 

Someone must have flashed a locked firmware at one point. PM me if you still need help!

NP, but it's a very new model, so they should still support it themselves...

Sounds like you are using an older (pre-2015) system, which isn't vulnerable.
Did you run the Intel Tool from the OP first to see if that system is even affected?

 

Thank you for your efforts Prema. I have tried reinstalling the drivers too. I'm stuck with an error 8772. Am I missing something?

 

8772 means the system is already updated. Un-install and remove the driver, then install it fresh.

 

strange, the tool says my system is vulnerable, p151sma.

 

It isn't affected, but you can use the ME 9 version to update it either way.

 

Am I missing something with the archive password? Can't see it anywhere

 

Patched a Clevo P651HS-G. Now system is ok.
Many Thanks Prema.

 

Read the error.log file that is created in the METool directory to get the actual error code. The tool will always display "8772" as that seems to be hard-coded.

 

Same here. I have a system with Prema BIOS and provided my email address for subscription to the web site. I don't have a reply yet for that (no surprise since it's a weekend and this is a community project), but I'm not clear on where I obtain the archive password.

 

Maybe reading the OP helps with that guys...

Yeah, the Tool actually just displays a short sentence explaining what that specific error means rather than it being an actual error report, which is, as you said, in the logfile...

 

Oh. man, I'm feeling really sheepish now. Doh!

Thanks.

 

Don't worry, I never read the manual either.

 

oh I could've sworn it wasn't there when I checked it. Thanks for the tool

 

Intel to Deploy Management Engine Lock to Prevent Disabling, Rollback
"Intel is seemingly poising to move towards a full hardware lock of the Management Engines' capabilities, thus ensuring it can't be disabled. And even if Intel does send out firmware fixes for its already deployed CPUs with ME integration, the fact remains that the memory pool where the firmware is written is, well, re-writable - given enough access, miscreants could simply re-flash the ME to an earlier, vulnerable version, and thus acquire God Mode access to a victim's computer. To tackle both issues, Intel is moving towards a hardware lock of their ME."

 

So, they plan to take the Chicken-Licken " the sky is falling" approach and start locking crap down with a hardware lock... no thanks. They can bite me. This is an over-hyped excuse to wrongfully deprive end users of autonomy and control of their own private property, not a safety concern. Taking the "what if?" fear-monger approach to things sucks every time. If they put a hardware lock on the ME it opens Pandora's Box for these control freaks to block and lock even more stuff to "keep us safe" (i.e. enhance their cash flow). I bet 5 bucks Micro$loth has something dirty to do with planting a seed like this one to finagle a way to block anyone from using an OS other than Windows 10.

Using their Gestapo thought process, I need to build a 15 foot tall explosion-resistant wall around my property line because a random terrorist with a wild hare up his butt could drive past my house and blow it up with an RPG. I better get right on that, before it is too late. It could happen, you know.

 

Much emotional. So passion. Very drama. Wow.

 

You forgot this one I'm in love with a fairy tale...

 

For what it's worth, I did the manual direct firmware update from win-raid.com on my MSI laptop, without even bothering to wait for "official" MSI updates, and it worked fine. I believe if the chipset is Intel 100/200/300, skylake or kabylake, PCH H or whatever it's called, and the old ME firmware was 11.7.x, then you can patch directly to 11.8.x with the intel flasher from the archive on win-raid. Or you can just use the official MSI stuff when they release it. As always, do it at your own risk. It worked for me though.

 

Intel has published a new version of the detection tool that works with all languages

https://downloadcenter.intel.com/download/27150

V 1.0.0.146 for windows worked only if OS was in english.

 

So far, only 4 versions of the Intel-SA-00086 Detection Tool (Version: 1.0.0.152 - latest). When will the 5 version come @tilleroftheearth? Next week?

 

Will this need doing on a brand new laptop?

 

Likely yes. Intel actually published a rollout schedule for various manufacturers and machines somewhere if I can find it again. My laptop for example is slated to receive the official update shortly after the new year. Depends what your machine is though.

EDIT:
Sorry, it was only Dell to my knowledge who has a scheduled rollout table for their various affected models. Here is Intel's main page on this matter:

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr

And here is the sub page with the various manufacturer support links:

http://www.intel.com/sa-00086-support

 

Cle

Clevo is not on the list so what do I use?

 

You are at the mercy of your OEM for "official" support. You may be able to derive unofficial support through other means if you know what you're doing and know your hardware well enough. But it usually is not an easy path to explore and more harm than good could come of it.

 

How about you just use the update from the OP and be done with it?!
Had a few thousand downloads and no complains.

 

Ok I'll just do that I have a lot to learn with this new toy.......

 

As long as your seller is flashing the latest firmware containing the fix, then no.

EDIT: Looks like you have a laptop already. I meant if you're a prospective customer/in the market, your laptop should arrive with the security issue already patched.

 

You should always check even on new hardware

 

Where do I donate?

 

Check the included readme file. Link is there.

 

Can't read it. Password locked.