Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Intel Bug

Intel Patches Three High-Severity Vulnerabilities (threatpost.com) 32

Intel's latest patches "stomped out three high-severity vulnerabilities and five medium-severity flaws," reports Threatpost: One of the more serious vulnerabilities exist in the Intel Processor Identification Utility for Windows, free software that users can install on their Windows machines to identify the actual specification of their processors. The flaw (CVE-2019-11163) has a score of 8.2 out of 10 on the CVSS scale, making it high severity. It stems from insufficient access control in a hardware abstraction driver for the software, versions earlier than 6.1.0731. This glitch "may allow an authenticated user to potentially enable escalation of privilege, denial of service or information disclosure via local access" according to Intel. Users are urged to update to version 6.1.0731.

Intel stomped out another high-severity vulnerability in its Computing Improvement Program, which is program that Intel users can opt into that uses information about participants' computer performance to make product improvement and detect issues. However, the program contains a flaw (CVE-2019-11162) in the hardware abstraction of the SEMA driver that could allow escalation of privilege, denial of service or information disclosure...

A final high-severity flaw was discovered in the system firmware of the Intel NUC (short for Next Unit of Computing), a mini-PC kit used for gaming, digital signage and more. The flaw (CVE-2019-11140) with a CVSS score of 7.5 out of 10, stems from insufficient session validation in system firmware of the NUC. This could enable a user to potentially enable escalation of privilege, denial of service and information disclosure. An exploit of the flaw would come with drawbacks -- a bad actor would need existing privileges and local access to the victim system.

The article notes that the patches "come on the heels of a new type of side-channel attack revealed last week impacting millions of newer Intel microprocessors manufactured after 2012."
This discussion has been archived. No new comments can be posted.

Intel Patches Three High-Severity Vulnerabilities

Comments Filter:
  • Intel Names Robert Swan CEO [intel.com]. (Jan. 31, 2019)

    "Swan, 58, who has been serving as Intel's interim CEO for seven months and as chief financial officer since 2016, is the seventh CEO in Intel's 50-year history. Swan has also been elected to Intel's board of directors."

    With no effective technology leadership, Intel cannot be successful, in my opinion.
    • by K. S. Kyosuke ( 729550 ) on Saturday August 17, 2019 @09:30PM (#59098010)

      With no effective technology leadership, Intel cannot be successful, in my opinion.

      You think this is Intel's...Swan song?

    • by antdude ( 79039 )

      That bugs me. Why didn't Intel board member pick someone to find a real CEO.

      • The problem stems from the 1980's when courts decided that the shareholders own the company. Why is that bad? Because Wall Street only cares about raising the share price each quarter. Nothing else!

        So who are you going to hire? Someone with technical knowledge? Or someone who is an accounting whiz with an MBA who can raise the share price and put in accounting tricks? The ladder obviously.

        Accountants should have no business running a company unless it's a financial services one. The original MBA program was

    • You do have a point. I'm not totally disagreeing, but there is a counterpoint.

      The job of the CEO in a company the size of Intel is to help decide whether or not to buy another large company and make that happen, to work with VPs who are good at working with directors who are good at managing managers how manage the tech leads that lead the development teams, etc. They are busy ASF doing their job running a huge company. They don't have time, even if they have the talent, to keep up on the technical detai

      • The CFO's job is to not spend money. The CEO's job is to spend money. Being a CFO does not prepare one to be a CEO. I worked for a tribal casino once where the CFO became the CEO and it was terrible. He didn't want to spend anything on anything and everything suffered.

      • Have you read "The Peter Principle" ? The book lays out the idea that people are promoted to their level of incompetence, the point at which they fail enough to not be promoted again. To achieve the rank of CEO does not necessarily mean the person is _good_ at that role, merely that they've succeeded in the roles below it. For engineers who are promoted to management, it's often the last stage of their career because what they were _really_ good at is no longer what they do.

      • I hate that ego we can manage technical skills can be learned BS.

        Steve Jobs had harsh words for leaders like this in today's environment. PepsiCo and Xerox were ran into the ground. They didn't understand their product or their customers and never promoted the nerds underneath. At Apple when Steve was around he made the folks who were at the cutting edge stars and promoted them to leadership roles. Apple was phased out when he left and led again when he returned while Dell and others focused on share price

        • They didn't understand their product or their customers and never promoted the nerds underneath.

          Not understanding your product or customers is a fatal mistake, but that myopia is not limited to people from the finance end. What made Jobs supremely effective was not his non-existent engineering savvy; it was that he was a premiere marketer. If sales and finance guys aren't understanding and adopting the correct marketing strategy, its just as fatal as not placing the right technologist in charge to make strategic engineering decisions.

          Its ridiculous to be promoting nerds into positions outside of the

    • "With no effective technology leadership, Intel cannot be successful, in my opinion."

      NetBurst happened under Craig Barrett's watch.

  • by gweihir ( 88907 ) on Saturday August 17, 2019 @09:53PM (#59098048)

    Good software engineering comes without this type of fuckup. These are not "glitches", there are signs of severe incompetence and not caring. Sure, mistakes happen, but CVE "high severity" ones only happen when several things went seriously wrong.

    This story seems to celebrate the actions by Intel, when it should question how this happened in the first place. It is high time that severe engineering screw-ups in software stop to get a free pass and are called what they are.

    • intel got very set in place and ripped people off with high costs and lack stuff like PCI-E lanes.

    • by AHuxley ( 892839 )
      But the CPU has to be faster and faster.
      One way to do that was a set release cycle and the hope that nobody smart would ever go looking.
      The other way was to design CPU products with an understanding of security long term.
      • by Viol8 ( 599362 ) on Sunday August 18, 2019 @04:28AM (#59098592) Homepage

        Constantly playing Intel and AMD off against each other to produce ever faster processors to run their poorly written bloatware. Why for example does Word these days need a 2GHz to run at a reasonable speed FFS when older versions with maybe 30% of the features (and 95% of the features anyone needed) used to run quite happily on a 66Mhz 486!

        • by gtall ( 79522 )

          because "30% of the features (and 95% of the features anyone needed)".

          Say you are your basic software production outfit, you have users, you need a revenue stream. Software doesn't go bad, OSes do, then software must follow or be left not running because the OS guys really needed to add those extra special whizzies that make their cold little hearts go pitter-patter.

          That won't make your revenue stream fat enough. Your accountants will tell you this, and your competitors have added Extra Special Whizzie 2.71

        • Constantly playing Intel and AMD off against each other to produce ever faster processors to run their poorly written bloatware.

          Because that's what their customers want. Yeah I know, crazy idea, giving customers what they ask for. They want faster, and it's not theirs to ask the customers why they want it. Just give it to them. Why do you need more than 640K of memory?

          • by Viol8 ( 599362 )

            Customers want faster yet they get bloated slow software that requires a faster processor to run at the same speed as the older stuff requiring them to cough up for a new machine. Yeah, I'm sure they asked for that.

            Perhaps revisit your argument and get back to me.

  • Question (Score:3, Interesting)

    by Anonymous Coward on Sunday August 18, 2019 @01:15AM (#59098290)

    Have they patched the core vulnerability introduced by the fundamental design of their processors?

    • Nope. Everything they sell but itanic is still vulnerable to MELTDOWN.

      • They patched meltdown but the workaround made zombieload worse ironically.

        Meanwhile AMD doesn't have these problems and is now superior in performance as of recent. Comes to show what differences in leadership makes.

  • Don't install software you don't really need.

  • by Viol8 ( 599362 ) on Sunday August 18, 2019 @04:12AM (#59098566) Homepage

    Surely thats all you need to run to find out the processor type and hence its capacilities? Perhaps things have changed since I last wrote x86 assembler.

No spitting on the Bus! Thank you, The Mgt.

Working...