Intel issues advisory for 16 new firmware vulnerabilities

nanoguy

Posts: 1,243   +24
Staff member
The big picture: With the transition to a hybrid work model, security has become a much more complex problem that spans even more variables than before. Companies like Intel and AMD are now facing a wave of newly discovered firmware issues that cannot be patched soon enough.

Intel says it has discovered no less than 16 new BIOS/UEFI vulnerabilities that allow malicious actors to perform escalation of privilege and denial of service attacks on affected systems. That means they can be leveraged to bypass many operating system protections as well as traditional endpoint security solutions, allowing hackers to extract sensitive information or lock it with ransomware.

Most of the flaws have a high severity rating, while three are described as medium severity and one is low severity. Intel explains the impacted systems include those powered by 6th to 11th generation Core processors, Xeon models from the W, E, D, and Scalable families, Core X-Series, and models from the Atom C3XXX family.

The good news is that none of the flaws can be exploited by an attacker unless they have physical access to the target machine. However, they do pose a risk in the case of professionals using work-provided laptops.

Intel is currently working on coordinating firmware updates with several vendors to mitigate these issues, but there’s no clear release roadmap as of writing this. The company credits Hugo Magalhaes from Oracle for reporting half of the disclosed vulnerabilities.

It’s worth noting these flaws aren’t related to the BIOS/UEFI flaws disclosed earlier this month by security firm Binarly, which can be exploited remotely and allow attackers to bypass hardware security features on affected systems.

Permalink to story.

 

antiproduct

Posts: 245   +304
Intel: Oh crap, we found more vulnerabilities.
Intel PR: Shhhh... don't say anything about those yet. We're going to make a press release about how we're more secure than AMD and this will throw off our numbers and make us look bad.
Intel 1 week later: Ok, they've forgotten about that article by now, here's the new vulnerabilities that we've fixed. That should do it.
 

veLa

Posts: 1,169   +838
Great, right after I updated our entire fleet of laptops. I guess I get ready to do it all over again.
 

bviktor

Posts: 971   +1,418
Yes...yes they did! But now that you mention it, That PR stunt did not include Intel management engine which would has been rife for hackers lately.
Lately, as in a couple of years ago, and have been patched within weeks?
 

Bobbydpue

Posts: 374   +246
Asus Z170 boards have been neglected since 2018. Wonder if they'll actually issue a new bios
I just don't get comments like these. So few people read past the headline and always miss this part:

"none of the flaws can be exploited by an attacker unless they have physical access to the target machine. "

Physical access. If an attacker has physical access to your desktop or laptop does it matter what software security you have at that point? Not really.

These vulnerabilities don't affect the majority of computer users. If you are storing and transporting highly classified documents on a laptop this would affect you. If you are a large company who stores their industry secrets in encrypted systems this would affect you. However, these vulnerabilities still require physical access to the system and if an attacker has physical access to any of these systems the software security you have on it won't keep it from getting stolen or damaged. If an attacker has unlimited time to hack into your system, because they stole it, they will eventually get in no matter what measure you took.

Physical security is just as important as software and hardware security.

If someone has physical access to your system it really doesn't matter anymore since they can take the hardware or just destroy it.

If someone has physical access to your computer are you going to be worried about them hacking into your computer or stealing it?
 

mountains

Posts: 74   +89
I just don't get comments like these. So few people read past the headline and always miss this part:

"none of the flaws can be exploited by an attacker unless they have physical access to the target machine. "

Physical access. If an attacker has physical access to your desktop or laptop does it matter what software security you have at that point? Not really.

These vulnerabilities don't affect the majority of computer users. If you are storing and transporting highly classified documents on a laptop this would affect you. If you are a large company who stores their industry secrets in encrypted systems this would affect you. However, these vulnerabilities still require physical access to the system and if an attacker has physical access to any of these systems the software security you have on it won't keep it from getting stolen or damaged. If an attacker has unlimited time to hack into your system, because they stole it, they will eventually get in no matter what measure you took.

Physical security is just as important as software and hardware security.

If someone has physical access to your system it really doesn't matter anymore since they can take the hardware or just destroy it.

If someone has physical access to your computer are you going to be worried about them hacking into your computer or stealing it?
While I totally get your argument (and basically agree), as someone with one of those Asus boards, the article also references the other severe exploits revealed recently that does not need physical access to the machine.

With supply constraints making it difficult to upgrade my system, I have also been wondering if this motherboard, which has actually been pretty solid, will get new firmware. And if you are going to patch the one issue, you may as well patch the other (if it not too difficult).

So thank you, Nintenboy01!