Intel issues advisory for 16 new firmware vulnerabilities

[nanoguy]

The big picture: With the transition to a hybrid work model, security has become a much more complex problem that spans even more variables than before. Companies like Intel and AMD are now facing a wave of newly discovered firmware issues that cannot be patched soon enough.

Intel says it has discovered no less than 16 new BIOS/UEFI vulnerabilities that allow malicious actors to perform escalation of privilege and denial of service attacks on affected systems. That means they can be leveraged to bypass many operating system protections as well as traditional endpoint security solutions, allowing hackers to extract sensitive information or lock it with ransomware.

Most of the flaws have a high severity rating, while three are described as medium severity and one is low severity. Intel explains the impacted systems include those powered by 6th to 11th generation Core processors, Xeon models from the W, E, D, and Scalable families, Core X-Series, and models from the Atom C3XXX family.

The good news is that none of the flaws can be exploited by an attacker unless they have physical access to the target machine. However, they do pose a risk in the case of professionals using work-provided laptops.

Intel is currently working on coordinating firmware updates with several vendors to mitigate these issues, but there’s no clear release roadmap as of writing this. The company credits Hugo Magalhaes from Oracle for reporting half of the disclosed vulnerabilities.

It’s worth noting these flaws aren’t related to the BIOS/UEFI flaws disclosed earlier this month by security firm Binarly, which can be exploited remotely and allow attackers to bypass hardware security features on affected systems.

Permalink to story.

https://www.techspot.com/news/93330-intel-issues-advisory-16-new-firmware-vulnerabilities.html

 

[Guberian]

Didnt they just brag about having less security vunerablilties than AMD?

 

[Soaptrail]

Didnt they just brag about having less security vunerablilties than AMD?

Yes...yes they did! But now that you mention it, That PR stunt did not include Intel management engine which would has been rife for hackers lately.

 

[antiproduct]

Intel: Oh crap, we found more vulnerabilities.
Intel PR: Shhhh... don't say anything about those yet. We're going to make a press release about how we're more secure than AMD and this will throw off our numbers and make us look bad.
Intel 1 week later: Ok, they've forgotten about that article by now, here's the new vulnerabilities that we've fixed. That should do it.

 

[hahahanoobs]

Intel disclosed this before something bad happened. Should be commended.

 

[Nintenboy01]

Asus Z170 boards have been neglected since 2018. Wonder if they'll actually issue a new bios

 

[veLa]

Great, right after I updated our entire fleet of laptops. I guess I get ready to do it all over again.

 

[bviktor]

Yes...yes they did! But now that you mention it, That PR stunt did not include Intel management engine which would has been rife for hackers lately.

Lately, as in a couple of years ago, and have been patched within weeks?

 

[Mr Majestyk]

This is hilarious. The arrogance of that recent proclaiment of having less vulnerabilities than AMD has shown them up in an even worse light. Less trash talk Gelsinger, just focus on your products. As they say, "play the ball, not the man"

 

[bandit8623]

Hopefully these fixed dont reduce performance further

 

[umbala]

Didnt they just brag about having less security vunerablilties than AMD?

Yes well, that was then and this is now! Intel's new CEO is hilarious, constantly writing checks his *** can't cash. I have a feeling we'll be getting lots of other comments from that clown that won't age well.

 

[umbala]

Intel disclosed this before something bad happened. Should be commended.

Yes, the same way cigarette companies should be commended for putting a label on their packaging that says it can cause cancer.

 

[Bobbydpue]

Asus Z170 boards have been neglected since 2018. Wonder if they'll actually issue a new bios

I just don't get comments like these. So few people read past the headline and always miss this part:

"none of the flaws can be exploited by an attacker unless they have physical access to the target machine. "

Physical access. If an attacker has physical access to your desktop or laptop does it matter what software security you have at that point? Not really.

These vulnerabilities don't affect the majority of computer users. If you are storing and transporting highly classified documents on a laptop this would affect you. If you are a large company who stores their industry secrets in encrypted systems this would affect you. However, these vulnerabilities still require physical access to the system and if an attacker has physical access to any of these systems the software security you have on it won't keep it from getting stolen or damaged. If an attacker has unlimited time to hack into your system, because they stole it, they will eventually get in no matter what measure you took.

Physical security is just as important as software and hardware security.

If someone has physical access to your system it really doesn't matter anymore since they can take the hardware or just destroy it.

If someone has physical access to your computer are you going to be worried about them hacking into your computer or stealing it?

 

[Bobbydpue]

Great, right after I updated our entire fleet of laptops. I guess I get ready to do it all over again.

Why? If someone steals one of those laptops why would it matter?

 

[mountains]

I just don't get comments like these. So few people read past the headline and always miss this part:

"none of the flaws can be exploited by an attacker unless they have physical access to the target machine. "

Physical access. If an attacker has physical access to your desktop or laptop does it matter what software security you have at that point? Not really.

These vulnerabilities don't affect the majority of computer users. If you are storing and transporting highly classified documents on a laptop this would affect you. If you are a large company who stores their industry secrets in encrypted systems this would affect you. However, these vulnerabilities still require physical access to the system and if an attacker has physical access to any of these systems the software security you have on it won't keep it from getting stolen or damaged. If an attacker has unlimited time to hack into your system, because they stole it, they will eventually get in no matter what measure you took.

Physical security is just as important as software and hardware security.

If someone has physical access to your system it really doesn't matter anymore since they can take the hardware or just destroy it.

If someone has physical access to your computer are you going to be worried about them hacking into your computer or stealing it?

While I totally get your argument (and basically agree), as someone with one of those Asus boards, the article also references the other severe exploits revealed recently that does not need physical access to the machine.

With supply constraints making it difficult to upgrade my system, I have also been wondering if this motherboard, which has actually been pretty solid, will get new firmware. And if you are going to patch the one issue, you may as well patch the other (if it not too difficult).

So thank you, Nintenboy01!