Security News

All Intel processors released in the past 5 years contain an unpatchable vulnerability that could allow hackers to compromise almost every hardware-enabled security technology that are otherwise designed to shield sensitive data of users even when a system gets compromised. Intel CSME is a separate security micro-controller incorporated into the processors that provides an isolated execution environment protected from the host opening system running on the main CPU. It is responsible for the initial authentication of Intel-based systems by loading and verifying firmware components, root of trust based secure boot, and also cryptographically authenticates the BIOS, Microsoft System Guard, BitLocker, and other security features.

All Intel processors released in the past 5 years contain an unpatchable vulnerability that could allow hackers to compromise almost every hardware-enabled security technology that are otherwise designed to shield sensitive data of users even when a system gets compromised. Intel CSME is a separate security micro-controller incorporated into the processors that provides an isolated execution environment protected from the host opening system running on the main CPU. It is responsible for the initial authentication of Intel-based systems by loading and verifying firmware components, root of trust based secure boot, and also cryptographically authenticates the BIOS, Microsoft System Guard, BitLocker, and other security features.

Most Intel chipsets released in the past five years are affected by a vulnerability that can be exploited to obtain encrypted data and compromise data protection technologies, Positive Technologies revealed on Thursday. According to Positive Technologies, CVE-2019-0090 is an unfixable vulnerability that affects the Converged Security and Management Engine boot ROM on most Intel chipsets and system on chips, except for Ice Point chipsets.

It cannot be fixed without replacing the silicon, only mitigated, it is claimed: the design flaw is baked into millions of Intel processor chipsets manufactured over the past five years. Buried deep inside modern Intel chipsets is what's called the Management Engine, or these days, the Converged Security and Manageability Engine.

Intel patched over 230 vulnerabilities in its products last year, but less than a dozen impacted its processors, according to the company's 2019 Product Security Report. Intel said it learned of 236 vulnerabilities in 2019, including 144 discovered internally by its employees.

RSA CONFERENCE 2020 - San Francisco - Intel announced four new security capabilities and provided further information on its previously-announced Compute Lifecycle Assurance supply chain transparency initiative today at RSA Conference 2020 in San Francisco. Intel hardware is the bedrock of much of the world's computing capability.

Intel is warning of a high-severity flaw in the firmware of its converged security and management engine, which if exploited could allow privilege escalation, denial of service and information disclosure. Another critical flaw discovered in May could allow an authenticated user to enable escalation of privilege over network access in CSME. Overall, Intel patched six flaws on Tuesday, including the high-severity flaw in CSME. The remainder of the vulnerabilities were medium and low-severity.

Forget the infamous Meltdown and Spectre chip flaws from 2018, the problem that's tying down Intel's patching team these days is a more recent class of side channel vulnerabilities known collectively as ZombieLoad. These relate to a data leakage problem called Microarchitectural Data Sampling affecting Intel's speculative execution technology introduced in the late 1990s to improve chip performance. ZombieLoad was originally made public by researchers last May as part of a triplet of hypothetical issues which included two others, Fallout and Rogue In-Flight Data Load, affecting post-2011 Intel processors.

Researchers have identified a new speculative execution type attack, dubbed CacheOut, that could allow attackers to trigger data leaks from most Intel CPUs. The more serious of the two CacheOut bugs, tracked as CVE-2020-0549, is a CPU vulnerability that allows an attacker to target data stored within the OS kernel, co-resident virtual machines and even within Intel's Software Guard Extensions enclave, a trusted execution environment on Intel processors.

Intel on Monday issued a processor data leakage advisory, describing two chip architecture flaws, one of which it tried to fix twice before. Intel's microcode fix involved using the VERW instruction and the L1D FLUSH command to overwrite the store buffer value, to prevent buffer data from being read. But Intel's initial fix in May failed.