New alerts claim that virtually all Intel processors launched in the past five years have a fried security breach in silicon that cannot be corrected as such, even though the chip manufacturer has already implemented mitigation measures. Firm Positive Security Technologies found that Intel’s mitigation measures (introduced since the initial bug was discovered in May 2019) may not be sufficient to fully protect a PC from attack.
The most positive news (no pun intended) is that the vulnerability present in Intel’s Converged Security and Management Engine (CSME) – a subsystem on the CPU that takes care of all kinds of important security tasks, directly by pressing the power button – it is not insignificant to explore. In fact, it is a complicated thing to do. Intel first described the security bug as: “Insufficient access control vulnerability in the subsystem to … could allow an unauthorized user to potentially escalate privileges through physical access.”
So, in other words, you need physical (or local, possibly in some cases, that Positive Technologies is eligible) access to the machine to try to take advantage of the vulnerability, which combined with the sophisticated nature of the attack, makes this job difficult. do it. But it is still a worrying situation if there is apparently a security breach directly in the silicon that cannot be fixed because it cannot be fixed through a firmware update.
Positive Technologies notes that this is because the problem is present in the “early stages of subsystem operation, in its boot ROM” and that it is “impossible to fix firmware errors encoded in the mask ROM”. The security company also notes that Intel is already aware of the problems here and understands that it cannot fix the vulnerability in ROM; therefore, try to correct all possible attack vectors. But limiting any conceivable exploitation could clearly be a difficult process.
Positive technologies warned: “This vulnerability jeopardizes everything Intel has done to build the foundation of trust and establish a solid security foundation on the company’s platforms… The biggest concern is that, because this vulnerability allows compromise at the hardware level , it destroys chain trust for the platform as a whole ”.
In short, it is another blow to Intel’s security reputation, which it cannot afford, due to the huge amount of land that AMD is acquiring with its Ryzen offering.
Originally posted 2020-03-06 06:23:52.