Intel Patches Three High-Severity Vulnerabilities

Intel's latest patches "stomped out three high-severity vulnerabilities and five medium-severity flaws," reports Threatpost: One of the more serious vulnerabilities exist in the Intel Processor Identification Utility for Windows, free software that users can install on their Windows machines to identify the actual specification of their processors. The flaw (CVE-2019-11163) has a score of 8.2 out of 10 on the CVSS scale, making it high severity. It stems from insufficient access control in a hardware abstraction driver for the software, versions earlier than 6.1.0731. This glitch "may allow an authenticated user to potentially enable escalation of privilege, denial of service or information disclosure via local access" according to Intel. Users are urged to update to version 6.1.0731.

Intel stomped out another high-severity vulnerability in its Computing Improvement Program, which is program that Intel users can opt into that uses information about participants' computer performance to make product improvement and detect issues. However, the program contains a flaw (CVE-2019-11162) in the hardware abstraction of the SEMA driver that could allow escalation of privilege, denial of service or information disclosure...

A final high-severity flaw was discovered in the system firmware of the Intel NUC (short for Next Unit of Computing), a mini-PC kit used for gaming, digital signage and more. The flaw (CVE-2019-11140) with a CVSS score of 7.5 out of 10, stems from insufficient session validation in system firmware of the NUC. This could enable a user to potentially enable escalation of privilege, denial of service and information disclosure. An exploit of the flaw would come with drawbacks -- a bad actor would need existing privileges and local access to the victim system.
The article notes that the patches "come on the heels of a new type of side-channel attack revealed last week impacting millions of newer Intel microprocessors manufactured after 2012."

Intel CEO apparently has no technical knowledge.

[Futurepower(R)]

Intel Names Robert Swan CEO [intel.com]. (Jan. 31, 2019)

"Swan, 58, who has been serving as Intel's interim CEO for seven months and as chief financial officer since 2016, is the seventh CEO in Intel's 50-year history. Swan has also been elected to Intel's board of directors."

With no effective technology leadership, Intel cannot be successful, in my opinion.

Re:Intel CEO apparently has no technical knowledge

[K. S. Kyosuke]

With no effective technology leadership, Intel cannot be successful, in my opinion.

You think this is Intel's...Swan song?

Re:

[antdude]

That bugs me. Why didn't Intel board member pick someone to find a real CEO.

Re:

[Billly Gates]

The problem stems from the 1980's when courts decided that the shareholders own the company. Why is that bad? Because Wall Street only cares about raising the share price each quarter. Nothing else!

So who are you going to hire? Someone with technical knowledge? Or someone who is an accounting whiz with an MBA who can raise the share price and put in accounting tricks? The ladder obviously.

Accountants should have no business running a company unless it's a financial services one. The original MBA program was

Re:

[antdude]

Stupid judge(s). Was this decision from Supreme court? :(

Maybe. Don't want the CEO in my code

[raymorris]

You do have a point. I'm not totally disagreeing, but there is a counterpoint.

The job of the CEO in a company the size of Intel is to help decide whether or not to buy another large company and make that happen, to work with VPs who are good at working with directors who are good at managing managers how manage the tech leads that lead the development teams, etc. They are busy ASF doing their job running a huge company. They don't have time, even if they have the talent, to keep up on the technical detai

Re:

[Viol8]

"Or how Tim Cook is currently driving Apple into the ground."

Absolutely. The man has zero vision nor does he have any idea what his customers want. Their circular HQ seems to have become a circular echo chamber where the only thing heard is "remove features, cut costs, raise prices". Approaches like that tend to bring in ever more money until one day profit goes off a cliff and the company goes with it. Its exactly what Apple did in the 90s and almost went bust.

Re:

[Anonymous Coward]

Tim Cook's only vision is the false idea that "everybody enjoys getting pounded in the ass."

#GayLeadership

"Technology is nothing" - Steve Jobs

[raymorris]

You mentioned Apple. Steve Jobs said:

Technology is nothing. What's important is that you have a faith in people, that they're basically good and smart, and if you give them tools, they'll do wonderful things with them.

Jobs encouraged his people to go big, try to make something special. Jobs also really cared about getting things right (not that screw ups didn't occasionally happen).

Wozniak said of Steve Jobs "Steve never really understood the computer part, the hardware or the software".

Re:

[Billly Gates]

During the early days of the Mac Steve met with the font designer everyday. Macs were unusual in that the pixels were squared and not rectangular like other computers as a result. This was the early reason why designers only ran Apple.

Little details make a difference as he was product focused.

Re:

[drinkypoo]

The CFO's job is to not spend money. The CEO's job is to spend money. Being a CFO does not prepare one to be a CEO. I worked for a tribal casino once where the CFO became the CEO and it was terrible. He didn't want to spend anything on anything and everything suffered.

Re:

[Antique Geekmeister]

Have you read "The Peter Principle" ? The book lays out the idea that people are promoted to their level of incompetence, the point at which they fail enough to not be promoted again. To achieve the rank of CEO does not necessarily mean the person is _good_ at that role, merely that they've succeeded in the roles below it. For engineers who are promoted to management, it's often the last stage of their career because what they were _really_ good at is no longer what they do.

Re:

[Billly Gates]

I hate that ego we can manage technical skills can be learned BS.

Steve Jobs had harsh words for leaders like this in today's environment. PepsiCo and Xerox were ran into the ground. They didn't understand their product or their customers and never promoted the nerds underneath. At Apple when Steve was around he made the folks who were at the cutting edge stars and promoted them to leadership roles. Apple was phased out when he left and led again when he returned while Dell and others focused on share price

Re:

[slashdot_commentator]

They didn't understand their product or their customers and never promoted the nerds underneath.

Not understanding your product or customers is a fatal mistake, but that myopia is not limited to people from the finance end. What made Jobs supremely effective was not his non-existent engineering savvy; it was that he was a premiere marketer. If sales and finance guys aren't understanding and adopting the correct marketing strategy, its just as fatal as not placing the right technologist in charge to make strategic engineering decisions.

Its ridiculous to be promoting nerds into positions outside of the

Re:

[Ostracus]

Aside from the tone, this post is correct. Part of being a good leader is being a good delegator, and hiring good people to delegate to. The rest is listening to what they have to say. The leader gives the company a direction to go towards. Keeps everyone focused.

Re:

[Billly Gates]

It's really good that your opinion doesn't count. The CEO isn't digging into code, or taping out chip designs. The CEO hires managers, who then hire lots of engineers to do that.

THe flaw with that premise is you have a leader who does not have the technical competence to know the market, it's products, or its uses. You can't effectively delegate if you do not understand what your delegations do or how qualified they are.

AMD is winning against Intel as of late. AMD has 7nm processors, much more secure chips, more cores, and now better performance as of this year due to the hring of Lisa Su as it's CEO.

Intel as a result of this dufus CEO has cpu shortages, outdated fabrication plants

Re:

[radarskiy]

"With no effective technology leadership, Intel cannot be successful, in my opinion."

NetBurst happened under Craig Barrett's watch.

"Stomped out"? No. Fixed their fuckup. Maybe.

[gweihir]

Good software engineering comes without this type of fuckup. These are not "glitches", there are signs of severe incompetence and not caring. Sure, mistakes happen, but CVE "high severity" ones only happen when several things went seriously wrong.

This story seems to celebrate the actions by Intel, when it should question how this happened in the first place. It is high time that severe engineering screw-ups in software stop to get a free pass and are called what they are.

intel got very set in place and ripped people

[Joe_Dragon]

intel got very set in place and ripped people off with high costs and lack stuff like PCI-E lanes.

Re:

[AHuxley]

But the CPU has to be faster and faster.
One way to do that was a set release cycle and the hope that nobody smart would ever go looking.
The other way was to design CPU products with an understanding of security long term.

MS has to take some of the blame

[Viol8]

Constantly playing Intel and AMD off against each other to produce ever faster processors to run their poorly written bloatware. Why for example does Word these days need a 2GHz to run at a reasonable speed FFS when older versions with maybe 30% of the features (and 95% of the features anyone needed) used to run quite happily on a 66Mhz 486!

Re:

[gtall]

because "30% of the features (and 95% of the features anyone needed)".

Say you are your basic software production outfit, you have users, you need a revenue stream. Software doesn't go bad, OSes do, then software must follow or be left not running because the OS guys really needed to add those extra special whizzies that make their cold little hearts go pitter-patter.

That won't make your revenue stream fat enough. Your accountants will tell you this, and your competitors have added Extra Special Whizzie 2.71

Re:

[AHuxley]

But games need that one fast core to get faster every 6 months.

Re:

[Ostracus]

Constantly playing Intel and AMD off against each other to produce ever faster processors to run their poorly written bloatware.

Because that's what their customers want. Yeah I know, crazy idea, giving customers what they ask for. They want faster, and it's not theirs to ask the customers why they want it. Just give it to them. Why do you need more than 640K of memory?

Re:

[Viol8]

Customers want faster yet they get bloated slow software that requires a faster processor to run at the same speed as the older stuff requiring them to cough up for a new machine. Yeah, I'm sure they asked for that.

Perhaps revisit your argument and get back to me.

Question

[Anonymous Coward]

Have they patched the core vulnerability introduced by the fundamental design of their processors?

Re:

[drinkypoo]

Nope. Everything they sell but itanic is still vulnerable to MELTDOWN.

Re:

[Billly Gates]

They patched meltdown but the workaround made zombieload worse ironically.

Meanwhile AMD doesn't have these problems and is now superior in performance as of recent. Comes to show what differences in leadership makes.

The message here is

[Opportunist]

Don't install software you don't really need.

cpuid instruction?

[Viol8]

Surely thats all you need to run to find out the processor type and hence its capacilities? Perhaps things have changed since I last wrote x86 assembler.