Intel Admits To Serious Security Flaw In PC Chips

Not so good news out of Intel to go into the holiday weekend: the technology firm has admitted that there were many — and serious — flaws in the software hidden in almost every PC chip it sold in recent years.

Oops.

The holes came care of a feature call the “management engine” that has been a part and parcel of Intel CPU for some time — up to and including its new 8th generation Core Processor series. The goods news? Intel said it has developed software patches to eliminate the problems. The less than good news — it seems that only two manufacturers (Dell and Lenovo) are listed by Intel as having created a way for customers to actually put the patch in place across their devices.

Other PC makers have listed fixes on their sites — but in many, those patches won’t help the vulnerable chips currently living inside a variety of IoT devices. Many of those, according to reports, risk going permanently unfixed.

“In response to issues identified by external researchers, Intel has performed an in-depth comprehensive security review of our Intel Management Engine (ME), Intel Server Platform Services (SPS), and Intel Trusted Execution Engine (TXE) with the objective of enhancing firmware resilience,” the company said in a bulletin posted on its web site dated Nov. 20. “As a result, Intel has identified security vulnerabilities that could potentially place impacted platforms at risk.”

The flaw, such as it is, could be exploited by hackers looking to load and run unauthorized software, or crash a system, or impersonate someone else to get through a digital security check. Those hacks may not become common, since in many cases the cybercriminal in action would need physical access to the computer to access the Intel software.

But the flaw does exist in almost every mainstream chip Intel has sold in recent years — which gives hackers a lot of targets to chose from.

Intel recommends customers look to their PC manufacturers for fixes.

“We worked with equipment manufacturers on firmware and software updates addressing these vulnerabilities, and these updates are available now,” the company said in a statement to Fortune. “Businesses, systems administrators, and system owners using computers or devices that incorporate these Intel products should check with their equipment manufacturers or vendors for updates for their systems, and apply any applicable updates as soon as possible.”

Some larger scale firms using Intel chips — Google, for example — have also discussed disabling the management engine entirely as a way to be rid of the security problem.

Two researchers, Mark Ermolov and Maxim Goryachy from Positive Technologies Research, are credited with helping uncover the problem.

Goryachy said the researchers would present more details of their findings at the upcoming Black Hat Europe conference.  He also noted the flaws are troubling because of how deeply within system architecture they live.

“Given this privileged level of access, a hacker with malicious intent could also use it to attack a target below the radar of traditional software-based countermeasures such as anti-virus,” Goryachy said. “We worked closely with Intel to ensure responsible disclosure and the company has been very proactive by developing a tool which helps people detect if their systems are vulnerable.”