Intel's commitment to making its stuff secure is called into question

Security is a process or at least an aspiration

Intel claims that "protecting our customers’ data and ensuring the security of our products is a top priority" for the semiconductor giant – however, security researcher Stefan Kanthak argues otherwise.

In an email to The Register in response to our report about the problems posed by the Manufacturing Mode in Intel's Management Engine (ME), which if left open leaves processors vulnerable to local attack, Kanthak called Intel's statement "a blatant lie."

"The statement is typical PR, and as such of no value," he said.

That may be a bit excessive. Since the Spectre and Meltdown side-channel processor vulnerabilities were disclosed earlier this year – affecting AMD, ARM, Intel and others – Intel has made a concerted effort to pay more attention to security or at least to talk about it more.

It has gone from insisting the identified exploits are not the result of bugs or flaws and pointing out that other chipmakers are also affected to hiring crisis PR firm Sard Verbinnen & Co., forming a product security group called Intel Product Assurance and Security (IPAS), delivering a series of patches, and implementing design changes in its Whiskey Lake and forthcoming Cascade Lake chips.

The Register hears from those close to Chipzilla's inner workings that the corp is sincere in its desire to make its products more secure.

Whether that sentiment translates into the ability deliver on that desire can be debated. Certainly Intel has adopted organizational changes to improve its security posture. But Kanthak argues the chipmaker's supposed security zeal hasn't yet spread throughout the company.

"The PSIRT is rather busy since Spectre/Meltdown, and the response times increased noticeably," he said, noting that he's been in regular contact with the security group for many years. "But Intel is not a one-man show, there are many independent groups and departments which create drivers and applications and their installers. The people who work on Spectre/Meltdown are typically not those who write (Windows) drivers or applications."

It's Intel's Windows-oriented software that most concerns Kanthak, in keeping with his efforts to encourage Microsoft to stop building Windows installers with vulnerable tools. He points to his recently published disclosure about Intel's Extreme Tuning Utility as an example of the chipmaker's slipshod approach.

The initial bug report was made September 4th, 2017 and, with no response, was resent again on March 22nd, 2018. Intel issued a supposed fix without any security advisory on May 22, 2018, but the vulnerability remained. There was a follow-up bug report on June 5th, 2018 and on September 11, 2018, Intel re-fixed its code, this time with an advisory.

As further evidence that Intel is slow to respond to security issues, he provided The Register with a baker's dozen of other bug reports for Intel software that were submitted in June, with the proviso that we not publish details because Intel hasn't fixed some of the flaws.

Intel code may also be vulnerable to an issue reported last year in Microsoft's .NET Framework that Microsoft has declined to fix. "After the release of Windows Vista, Intel started to use .NET Framework in many of its drivers' GUI applications," said Kanthak. "Since these applications need to be run elevated, they all allow this trivial escalation of privilege (or UAC bypass)."

The Register asked Intel for a response to Kanthak's criticism. The chipmaker offered this statement via email:

Protecting our customers and their data continues to be a critical priority for us. We follow the principles of coordinated disclosure to deploy mitigations and inform the public. Given the nature of our products, we commonly work with our customers and other third parties, including hardware, software, and services vendors, as well as end users, to develop and deploy mitigations. Effective mitigation may require all these parties to work together in coordinated cooperation.

Regarding CSME [the ME is one firmware under the umbrella term Converged Security and Management Engine], Intel recently consolidated CSME updates into quarterly packages to simplify the update process and improve predictability for our customers and partners. This makes it simpler for them to validate and apply fixes and make them available to end users.

In other words, security can be slow. ®

Similar topics

Other stories you might like

  • Graviton 3: AWS attempts to gain silicon advantage with latest custom hardware

    Key to faster, more predictable cloud

    RE:INVENT AWS had a conviction that "modern processors were not well optimized for modern workloads," the cloud corp's senior veep of Infrastructure, Peter DeSantis, claimed at its latest annual Re:invent gathering in Las Vegas.

    DeSantis was speaking last week about AWS's Graviton 3 Arm-based processor, providing a bit more meat around the bones, so to speak – and in his comment the word "modern" is doing a lot of work.

    The computing landscape looks different from the perspective of a hyperscale cloud provider; what counts is not flexibility but intensive optimization and predictable performance.

    Continue reading
  • The Omicron dilemma: Google goes first on delaying office work

    Hurrah, employees can continue to work from home and take calls in pyjamas

    Googlers can continue working from home and will no longer be required to return to campuses on 10 January 2022 as previously expected.

    The decision marks another delay in getting more employees back to their desks. For Big Tech companies, setting a firm return date during the COVID-19 pandemic has been a nightmare. All attempts were pushed back so far due to rising numbers of cases or new variants of the respiratory disease spreading around the world, such as the new Omicron strain.

    Google's VP of global security, Chris Rackow, broke the news to staff in a company-wide email, first reported by CNBC. He said Google would wait until the New Year to figure out when campuses in the US can safely reopen for a mandatory return.

    Continue reading
  • This House believes: A unified, agnostic software environment can be achieved

    How long will we keep reinventing software wheels?

    Register Debate Welcome to the latest Register Debate in which writers discuss technology topics, and you the reader choose the winning argument. The format is simple: we propose a motion, the arguments for the motion will run this Monday and Wednesday, and the arguments against on Tuesday and Thursday. During the week you can cast your vote on which side you support using the poll embedded below, choosing whether you're in favour or against the motion. The final score will be announced on Friday, revealing whether the for or against argument was most popular.

    This week's motion is: A unified, agnostic software environment can be achieved. We debate the question: can the industry ever have a truly open, unified, agnostic software environment in HPC and AI that can span multiple kinds of compute engines?

    Our first contributor arguing FOR the motion is Nicole Hemsoth, co-editor of The Next Platform.

    Continue reading

Biting the hand that feeds IT © 1998–2021