Flaws found in Intel Management Engine (ME), TXE and SPS

Steve C said:

I have a Gigabyte GA-Z77X-UD5H motherboard with a i5-3570K CPU. The Intel tool says my system is not at risk. However, Gigabyte has just released a new BIOS F16j for this 2012 motherboard which says "Adjust MATS table to improve OS compatibility". Does this relate to the Intel vulnerability or something else?

fdegrove said:

Hi,
@Steve C : That has nothing to do with this vulnerability.

Cheers,

Information on VBS & MATS: Virtualization-based Security (VBS) | Microsoft Docs

And if you really want to understand how it all comes together(send everyone away, make a large pot of coffee, and have fun(?)reading and following all the links): Mitigate threats by using Windows 10 security features (Windows 10) | Microsoft Docs

lx07 said:

Isn't the point that this runs underneath Windows (or Linux or any other OS you are running).

There is not really any point reading about mitigations MS may have done if your system is compromised before Windows even loads.

Windows (or any other OS) is unaware of what IME is doing. Just see the first post in this thread.

Please don't think me a tin foil hatted loon (I'm not) but surely Intel baking a separate CPU and OS running under and before any OS you install is something to be mildly concerned about. Especially if its (undisclosed) functionality isn't documented at all and then turns out to be vulnerable.

Even the developer of Minix(the OS that's used for IME) was surprised.
http://www.cs.vu.nl/~ast/intel/

Andrew S. Tanenbaum, Professor at the Vrije Universiteit

Cliff S said:

By the way, some PC owners, those with "Off the shelf" PCs, like laptops, workstations, and so on, might not even get the needed BIOS update.

A good example, my Lenovo H530, that originally came with Windows 8.1, hasn't had a BIOS/UEFI update since NOV 17th, 2016, and most drivers hav't been updated(from Lenovo) in there last 2 years either.
So don't be surprised if the OEMs have stopped supporting your equipment.

Yep! My Lenovo Intel Lappy is a 14" Flex 4-1470 and isn't even mentioned in Lenovo's list of affected computers. The first one listed is the Flex 5-1470, and nope, that wasn't a typo on their part.

So, I'm not sure what I should do.

xips said:

See Lenovo's Intel ME 11.x, SPS 4.0, and TXE 3.0 Cumulative Security Update list.

Thanks, Xips! I checked yesterday and my Flex 4-1470 wasn't there. They must have updated the list whilst I was sleeping. Which is good. Now I just have to wait until tomorrow. Maybe.

I have a Lenovo K450 which has a Intel 4th gen processor. Intel says it's not vulnerable, Lenovo says it's not vulnerable and the tools says it's not vulnerable, so I'm A-okay.