Follow Slashdot stories on Twitter


Forgot your password?
Intel Security

Serious Flaw Patched In Intel Driver Update Utility ( 34

itwbennett writes: The flaw in a utility that helps users download the latest drivers for their Intel hardware components stems from the tool using unencrypted HTTP connections to check for driver updates. It was discovered by researchers from Core Security and was reported to Intel in November. The Core Security researchers found that the utility was checking for new driver versions by downloading XML files from Intel's website over HTTP. These files included the IDs of hardware components, the latest driver versions available for them and the corresponding download URLs. Intel Driver Update Utility users are strongly advised to download the latest version from Intel's support website.
This discussion has been archived. No new comments can be posted.

Serious Flaw Patched In Intel Driver Update Utility

Comments Filter:
  • by xxxJonBoyxxx ( 565205 ) on Wednesday January 20, 2016 @03:49PM (#51338539)

    >> Intel uses unencrypted HTTP connections to check for driver updates.

    What a bunch of dumbasses! It's a good thing no one buys security from Intel!

    >> []
    >> []

    (quits laughing, starts crying)

    • I have no problem with certain types of content being unencrypted. If it's static and does nothing the http protocol "should" be fine (depending on the app using the content). I also have no problem with people having a port80 listener redirecting to port443. People are too lazy to type in a URL, let alone "https://".

      I didn't look at either of those links to investigate if the above scenarios are present. I have seen people say "Ugh, http needs to die" to any discussions regarding HTTP and HTTPS protocol

      • The problem isn't that Intel driver files are secret. The problem is HTTP can't ensure the XML file that tells where to download hasn't been changed in transit. Most likely this was done in order to be proxy friendly. The downside is you get pwned if Satan is your proxy.
        • by s.petry ( 762400 )
          You just reinforced what I said. The problem is not that HTTP is being used, it's that the client is trying to do everything through HTTP and the XML parsing does no validation. This is a client problem, not a protocol problem.
      • You forget that SSL provides two benefits, not one.

        1. No one can intercept the communication and read the messages. No one cares for driver updates so yep you would be perfectly safe letting everyone on your network read the driver files.

        2. It proves that you are talking to who you think you are talking to. This is the bit you miss - for important system files that are executable, it's kinda important to make sure you get them from the legitimate source.
        As it stands if you go to a coffee shop, anyone else t

    • by ZeRu ( 1486391 )
      Now, if they only would fix the "Intel RST service is not running" bug that I've been experiencing for months...
  • by Anonymous Coward

    So, someone can see what hardware components you have. Scary stuff.

    • by The-Ixian ( 168184 ) on Wednesday January 20, 2016 @03:56PM (#51338605)

      More like someone could easily MITM an unencrypted HTTP stream and redirect the user to a different download.... then, when the person executes the malicious payload.... bam! cryptowall!

      • The tool isn't enforcing code signatures? That's infinitely scarier... that's what you're suggesting, yes?
  • I mean... it's like the oldest malware install vector of all time... download this driver update utility! We will abstract away that awful task of identifying your hardware and downloading software....

    Who on Earth savvy enough to update drivers uses a black box utility to download and install low level pieces of software (that require admin privs to install) like this?

    • Who on Earth savvy enough to update drivers uses a black box utility to download and install low level pieces of software (that require admin privs to install) like this?

      So, how many people have computers? How many of them are savvy enough to update drivers beyond what the computer tells them to do? How many laptops etc come with those "helpful" OEM turds designed to do this for you?

      Computers are magical, spooky things beyond the comprehension of mere mortals .. they don't want to know such things. My in

      • I guess my point is, if you know that you need to update a driver AND you have made it to the manufacturer web site to download the driver AND you have navigated to the driver download page where the updater is likely to live anyway, how much extra work is it to just find the driver directly?

        • Not quite... The damned utilities are installed by the OEM as a part of the driver suite from the manufacturer (Yes, pretty much all manufacturers leave a turd like this running in the background). Utility tells you that there is an updated file to install, please click Install...
        • See, for so many people, unless a popup comes up, says you need an updated driver, and guides them through the process ... this is exactly what won't happen. They don't know a damned thing about this.

          Are you so utterly out of touch with non-technical people to not grasp that these people aren't going gee, I need to update my driver so I should hop on over to the manufacturer website and find it? They're going "ZOMG, kittens!" They don't even know (or care) what a driver is.

          Honestly, do you now know any n

    • Their update utilities often come preloaded on OEM machine images.
      • Fair enough.

        I was thinking of driver update utilities that are pushed from the manufacturer's driver download web page.

        I mean, you've already gotten that far and done about 85% of the work (identifying the hardware, finding the manufacturer web site, navigating to the download section) and NOW is when you get the "easy mode" option.... just click 2 or 3 more times and get the driver directly.

    • by reg ( 5428 )

      Every smart admin out there... I just wish that Windows Update covered more software and hardware, so windows machines only needed one update utility like Linux boxes... Macs are a little better, especially for things that have migrated into the app store.


  • by Anonymous Coward

    I hate that damn utility. It was so much better when Intel had a drop down menu on their website that allowed users to simply select the drivers they needed. Now all the user can do is try to search for a driver and hope they get the right one, or use that crappy utility. Nice going Intel. :-/

  • That tool does not even work that well on boards with Intel chip sets often times it says no drivers even on high end boards with the latest chipsets.

  • So having worked at Intel in software for many years - there is a fundamental flaw. Each group inside Intel hires a "installer guy" that is responsible for installing and updating their component. Get enough Intel hardware/software on your system and you will see 3 or 4 of these utilities running - each with their own little flaws.

    What I would have expected in an Intel update tool that each group would plug into and get updates handled. Then instead of the 15-20 people working on Installers at Intel, ea

  • FTA:

    The tool was designed to check that the download URLs pointed to files hosted under the domain name. However, man-in-the-middle attackers would have been able to both modify the XML files in transit and to bypass the tool's domain check by using techniques such as ARP poisoning and DNS spoofing.

    If you have someone doing ARP poisoning on your LAN and hijacking your DNS, you have a hell of a lot bigger problem than the issue with Intel's update utility.

  • That junk was absolutely outsourced and coded by some "trendy" team, it was NEVER tested on the most common Intel graphics displays such as 1366*768 (ultrabooks) nor 1280*720 (old HDTV). How do I know? Well, it doesn't display properly with large font setting of Windows.

    It also installs documented, opt in but very alerting piece of data mining software running as administrator.