Yet more buffer overruns, one of which is related to html - something not noted for tight in-built sanitation. I was going to ask "What were they thinking?" but clearly somebody wasn't.
In case you missed it, Chipzilla has gone public with more security updates for the Intel Management Engine. The advisories, here and here, address four exploitable bugs. Positive Technologies, which discussed the bugs in detail here, identified CVE-2018-3628, a “Buffer overflow in HTTP handler” as the most serious. That's …
Maybe they were thinking (when they shipped this) that shiny shit sells, based on share-prices and similar historic evidence.
Apparently it still does sell. It's probably going to carry on doing so, until the people in the corporate boardrooms start to feel their own personal share of the pain, as well as taking their own personal share of the gain.
"Our time as victims is over
We will no longer ask for justice
Instead we will take our retribution"
"Typical PC sold for "home" use isn't going to have the vPro that has these flaws, I think."
yeah, right, "restrict" home users to an INFERIOR model? i don't think so. Yeah I know that's an extreme 'straw man' kind of position but I'm using that illustration to make the point that ANYBODY should be able to have ANYTHING HE WANTS and if it's a "business" version, then so be it.
Besides, the problem here isn't whether or not a user is a 'home user'. the problem is that INTEL PUT THIS THING INTO THE SILICON. It is a _REASON_ to _NOT_ use their silicon.
HEY INTEL how about an UPDATE to LET US CANONICALLY SHUT THE @#$% *OFF*???
"The Intel Core 2 Duo vPro, Intel Centrino 2 vPro, 1st Generation Intel Core, 2nd Generation Intel Core, and 3rd Generation Intel Core won't get patches because they are now so old that Chipzilla no longer supports them." - so they put in this ME stuff that a multitude of security experts said was a bad idea at the time and now want to claim its too old to support? How about just offering the option to disable ME for old chips that should never have shipped with this trash in the first place?
Cue US law suit please.
I was considering changing out my 10 year old Dell laptop with an AMD CPU for something newer as I have maxed out what RAM it will take, but the more i read the more i think I am better off holding on to it until these flaws have been fixed and this management engine BS can be disabled completely as I don't require it on a home computer.
The solution seems quite simple: fill the onboard ethernet port with glue, and drop in a non-Intel network card. My understanding is that the ME network interface is only exposed through network interfaces provided by Intel chipsets (and only certain ones at that?). Laptop users may have to resort to using an external dongle if they can't replace the built-in Intel wifi.
"The solution seems quite simple: fill the onboard ethernet port with glue, and drop in a non-Intel network card. "
I did that a decade ago. I'd bought an ex-lease corporate desktop for home use, partly so I could remotely access the thing via AMT/vPRO while I was working away, without needing its OS to be alive (and without spending a fortune on corporate IPkvm gadgets that cost hundreds of dollars to achieve the same thing via a relatively leakproof setup of VGA cable and frame grabber).
Then I bought a similarly equipped corporate laptop for similar reasons, by that time a laptop had become a computer with a convenient built-in battery backed up power supply.
Who'd have thought, a decade ago, that such remote access features could be used for nefarious purposes, especially if they were overcomplicated and underprotected and universally active (but not universally visible to the punter).
This post has been deleted by its author
Biting the hand that feeds IT © 1998–2020