Intel Admits Security Flaws Contained in Most PC Chips It Sold for Years
Intel admitted this week that there were multiple, serious security flaws in software it had hidden in virtually every PC chip it sold in recent years.
The security holes reside mainly in a feature called the “management engine” on Intel CPUs, like its brand new 8th generation Core Processor series. Intel said it had developed software patches to eliminate the problems, but listed only one manufacturer—Lenovo—that had created a way for customers to actually update their computers. While some other PC makers listed fixes on their own web sites, some of the vulnerable chips reside in smart, connected devices (part of the so-called Internet of Things) and may never be updated. Update: Later on Tuesday, Intel added links for the fixes for customers of Dell and its own hardware products.
“In response to issues identified by external researchers, Intel has performed an in-depth comprehensive security review of our Intel Management Engine (ME), Intel Server Platform Services (SPS), and Intel Trusted Execution Engine (TXE) with the objective of enhancing firmware resilience,” the company said in a bulletin posted on its web site dated Nov. 20. “As a result, Intel has identified security vulnerabilities that could potentially place impacted platforms at risk.”
The problems include allowing hackers to load and run unauthorized programs, crash a system or impersonate system security checks, Intel said. In many, but not all cases, the hacker would need physical access to a PC to exploit the vulnerabilities. The flaws exist in almost every mainstream chip Intel has sold in recent years, including its older 6th generation Core chips, introduced in 2015, and its 7th generation, which came on the market last year.
Get Data Sheet, Fortune’s technology newsletter.</em></strong></p> <p>Intel said customers should look to their PC manufacturers for fixes. “We worked with equipment manufacturers on firmware and software updates addressing these vulnerabilities, and these updates are available now,” the company said in a statement to Fortune. “Businesses, systems administrators, and system owners using computers or devices that incorporate these Intel products should check with their equipment manufacturers or vendors for updates for their systems, and apply any applicable updates as soon as possible.”
Although Intel’s chips are designed to let users decide which programs to run, the microprocessors also have several kinds of software built in to provide certain features. The management engine, which is designed to provide among other functions security while a computer boots up, runs a version of an older operating system called Minix. And it’s by exploiting that software that researchers have recently found ways to trick the Intel chips into running malicious code.
In its announcement, Intel also thanked two researchers, Mark Ermolov and Maxim Goryachy from Positive Technologies Research, for helping uncover the vulnerabilities.
Goryachy said the researchers would present more details of their findings at the upcoming Black Hat Europe conference. The deep seated position of the flaws was particularly troubling, he said, but praised Intel’s response.
“Given this privileged level of access, a hacker with malicious intent could also use it to attack a target below the radar of traditional software-based countermeasures such as anti-virus,” Goryachy said. “We worked closely with Intel to ensure responsible disclosure and the company has been very proactive by developing a tool which helps people detect if their systems are vulnerable.”