Intel patched ten vulnerabilities across a dozen generations of CPUs, with many of the vulnerabilities being severe and impacting millions of devices.
The flaws would let hackers run code on targeted systems using vulnerabilities, which include multiple buffer overflows in the operating system kernel for the Intel Management Engine (ME) firmware.
Lenovo, whose website calls it a high severity vulnerability with an industry-wide scope, has a striking description of the issue:
“An attacker could load and execute arbitrary code outside the visibility of the user, operating system, and hypervisor/virtualization platform; resulting in exfiltration of secrets, subtle manipulation of system operation or denial of service.”
Intel’s ME has long been criticized by security experts as a secret second internet-connected computer running inside your own machine without your knowledge or consent. That’s a potentially giant problem from a number of angles, not least of which is the fact that a user can’t turn ME off.
David A. Eckhardt, a computer science professor at Carnegie Mellon University, dove into Intel ME and calls it simply “the bad thing.”
It’s a secretive protocol, but there is a years-long history of Intel ME information out there including early deep dives, multiple previous vulnerabilities from 2017 alone and outcry about the “security hazard” it poses to mostly unknowing users.
The firm is urging affected customers to update their firmware. Intel released a downloadable detection tool to analyze systems for vulnerabilities impacting Intel ME.