Serious Flaw Patched In Intel Driver Update Utility (csoonline.com) 34
itwbennett writes: The flaw in a utility that helps users download the latest drivers for their Intel hardware components stems from the tool using unencrypted HTTP connections to check for driver updates. It was discovered by researchers from Core Security and was reported to Intel in November. The Core Security researchers found that the utility was checking for new driver versions by downloading XML files from Intel's website over HTTP. These files included the IDs of hardware components, the latest driver versions available for them and the corresponding download URLs. Intel Driver Update Utility users are strongly advised to download the latest version from Intel's support website.
Good thing no one buys security from Intel (Score:5, Funny)
>> Intel uses unencrypted HTTP connections to check for driver updates.
What a bunch of dumbasses! It's a good thing no one buys security from Intel!
>> http://www.intelsecurity.com/ [intelsecurity.com]
>> http://www.intel.com/content/w... [intel.com]
(quits laughing, starts crying)
Perhaps (Score:2)
I have no problem with certain types of content being unencrypted. If it's static and does nothing the http protocol "should" be fine (depending on the app using the content). I also have no problem with people having a port80 listener redirecting to port443. People are too lazy to type in a URL, let alone "https://".
I didn't look at either of those links to investigate if the above scenarios are present. I have seen people say "Ugh, http needs to die" to any discussions regarding HTTP and HTTPS protocol
Re: Perhaps (Score:3)
Re: (Score:2)
Re: (Score:2)
You forget that SSL provides two benefits, not one.
1. No one can intercept the communication and read the messages. No one cares for driver updates so yep you would be perfectly safe letting everyone on your network read the driver files.
2. It proves that you are talking to who you think you are talking to. This is the bit you miss - for important system files that are executable, it's kinda important to make sure you get them from the legitimate source.
As it stands if you go to a coffee shop, anyone else t
Re: (Score:1)
This is "Serious"? (Score:1, Funny)
So, someone can see what hardware components you have. Scary stuff.
Re:This is "Serious"? (Score:4, Informative)
More like someone could easily MITM an unencrypted HTTP stream and redirect the user to a different download.... then, when the person executes the malicious payload.... bam! cryptowall!
Re: (Score:2)
I disagree.
I think that attackers are increasingly sophisticated.
All you would need to do is set up an open wifi hotspot, have someone connect to it, and inject some kind of message that they need to update their driver software and then link/redirect to the legit Intel web site. The user doesn't even have to be fooled, they are downloading a genuine Intel software product.
Then, when they go to update their driver, the MITM captures the XML and puts their own links in.
Re: (Score:2)
Or you could send them via email a link to a cat video that they need to run badprogram.exe to install the kitty codec to watch it.
Re: (Score:2)
Driver update utilities (Score:2)
I mean... it's like the oldest malware install vector of all time... download this driver update utility! We will abstract away that awful task of identifying your hardware and downloading software....
Who on Earth savvy enough to update drivers uses a black box utility to download and install low level pieces of software (that require admin privs to install) like this?
Re: (Score:3)
So, how many people have computers? How many of them are savvy enough to update drivers beyond what the computer tells them to do? How many laptops etc come with those "helpful" OEM turds designed to do this for you?
Computers are magical, spooky things beyond the comprehension of mere mortals .. they don't want to know such things. My in
Re: (Score:2)
I guess my point is, if you know that you need to update a driver AND you have made it to the manufacturer web site to download the driver AND you have navigated to the driver download page where the updater is likely to live anyway, how much extra work is it to just find the driver directly?
Re: (Score:2)
Re: (Score:2)
See, for so many people, unless a popup comes up, says you need an updated driver, and guides them through the process ... this is exactly what won't happen. They don't know a damned thing about this.
Are you so utterly out of touch with non-technical people to not grasp that these people aren't going gee, I need to update my driver so I should hop on over to the manufacturer website and find it? They're going "ZOMG, kittens!" They don't even know (or care) what a driver is.
Honestly, do you now know any n
Re: Driver update utilities (Score:2)
Re: (Score:2)
Fair enough.
I was thinking of driver update utilities that are pushed from the manufacturer's driver download web page.
I mean, you've already gotten that far and done about 85% of the work (identifying the hardware, finding the manufacturer web site, navigating to the download section) and NOW is when you get the "easy mode" option.... just click 2 or 3 more times and get the driver directly.
Re: (Score:2)
Every smart admin out there... I just wish that Windows Update covered more software and hardware, so windows machines only needed one update utility like Linux boxes... Macs are a little better, especially for things that have migrated into the app store.
Regards,
-Jeremy
windows 10 does but in a forced way (Score:2)
windows 10 does but in a forced way even in times where it fights with nvidia / ati tools as well.
Intel (Score:1)
I hate that damn utility. It was so much better when Intel had a drop down menu on their website that allowed users to simply select the drivers they needed. Now all the user can do is try to search for a driver and hope they get the right one, or use that crappy utility. Nice going Intel. :-/
That tool does not even work that well (Score:2)
That tool does not even work that well on boards with Intel chip sets often times it says no drivers even on high end boards with the latest chipsets.
Flaw in Intel's software process (Score:2)
What I would have expected in an Intel update tool that each group would plug into and get updates handled. Then instead of the 15-20 people working on Installers at Intel, ea
Tip of the iceberg (Score:2)
The tool was designed to check that the download URLs pointed to files hosted under the intel.com domain name. However, man-in-the-middle attackers would have been able to both modify the XML files in transit and to bypass the tool's domain check by using techniques such as ARP poisoning and DNS spoofing.
If you have someone doing ARP poisoning on your LAN and hijacking your DNS, you have a hell of a lot bigger problem than the issue with Intel's update utility.
I knew there was something wrong (Score:1)
That junk was absolutely outsourced and coded by some "trendy" team, it was NEVER tested on the most common Intel graphics displays such as 1366*768 (ultrabooks) nor 1280*720 (old HDTV). How do I know? Well, it doesn't display properly with large font setting of Windows.
It also installs documented, opt in but very alerting piece of data mining software running as administrator.