What is the world’s most widely-used operating system on new PCs?
Windows?
Guess again.
In all probability, it’s the venerable operating system Minix, running on a shadowy subsystem called the Management Engine (ME) that’s built into all recent Intel computers.
Officially, ME is there to make remote troubleshooting for support engineers easier, including – and this is not a misprint – when the PC is turned off but still plugged into the wall.
But ME’s ubiquity and startling capabilities matter to a growing body of critics worried about the security implications of running what, in effect, is an independent system-within-a-system – the Intel-inside-Intel if you like.
The latest salvo was September’s promise by Russian researchers Maxim Goryachy and Mark Ermolov of Positive Technologies to host a session at next month’s Black Hat Europe event during which they would demo an exploit capable of compromising ME to gain “god mode” control over a PC.
This week Intel put out an urgent security advisory confirming the issue, so it seems the pair weren’t simply talking up their presentation to get bums on seats.
Intel lists four ME vulnerabilities (CVE-2017-5705, CVE-2017-5708, CVE-2017-5711, CVE-2017-5712), affecting a swathe of recent processors running ME Firmware v11.x onwards as well as Server Platform Services v4.0 and TXE v3.0.
Several vulnerable processors are listed – anyone running a computer or server based on a Core, Xeon, Atom, Celeron, or Pentium from the last two years can assume they are affected.
Intel has posted a utility to check for these bugs, but ME firmware fixes will need to come from each hardware maker, which is where things get messier.
For instance, a visit to Dell’s support pages lists fixes for its servers but also shows the words “to be determined” next to 100 or more of the PC systems the company supports.
Users looking for a quick fix shouldn’t hold their breath.
What could an attacker do to an unpatched system?
Intel mentions several possibilities, but an alarming standout is the ability to “load and execute arbitrary code outside the visibility of the user and operating system.”
A lot of admins will find themselves doing a double-take reading this, particularly the idea that something inside a PC can run code without the desktop or server operating system being in charge.
Unhappiness at the way ME bends the rules has been steadily growing – and not just from the tinfoil hat brigade.
The privacy croup EFF described ME as a tiny homunculus computer, complete with its own operating system, processor chip, drivers, network stack and web server.
Then, in August, Google engineer Ronald Minnich mentioned that the search giant was so unsettled by the security risks of ME running its own Minix operating system that it planned to rip out as much of ME as possible from its Linux servers.
Interestingly, Microsoft’s recent secure PC specification made no mention of ME beyond endorsing Intel’s new processor generation.
What is clear is that researchers smell blood and will continue to probe ME and equivalent low-level technologies for weaknesses.
After this week, few will bet against them finding more problems.