PSA: Remember To Update Your Intel Management Engine (Updated)

Update, 11/30/2017, 11:25am PT: Asus responded to our request for comment with a link to a page containing a list of affected server and WS models. The company said it has verified the issue and plans to address it in the next BIOS update, though it didn't say when that update will arrive.

Original, 11/28/2017, 8am PT:

In light of Intel’s recent announcement of the vulnerabilities found and fixed in its Management Engine (ME), referred to as INTEL-SA-00086, many OEMs have begun issuing firmware updates for their products. We at Tom’s Hardware would like to remind you to check your hardware OEM’s support pages for updates.

The INTEL-SA-00086 issue affects you if you have a product with any of the following Intel CPUs:

If you have an affected product, you’ll need a firmware update  from the motherboard or system OEM, as well as possibly a driver update from Intel. If your system is Windows or Linux-based, then the easiest way to know if you need an update is to install Intel’s SA-00086 Detection Tool. Intel has released links to support pages for most system OEMs, including Acer, Dell, Lenovo, and Toshiba, just to name a few.

For embedded systems, finding out if you're affected and getting an update might be more of an issue. Intel has addressed its own NUCs here, and we found updates from Synology for its Celeron-powered NAS systems. We assume similar devices from other OEMs, such as QNAP and Asustor, are also affected.

For DIY builders, Gigabyte and MSI have announced BIOS updates, but we’ve yet to see them for many of the affected motherboards. ASRock released comprehensive instructions for some of its affected products, whereas Asus didn’t announce anything, but we’ve found an ME update for a number of its motherboards. EVGA told us that it’s working on releasing updates. Everything we've seen so far has been for 100/200/300 series motherboards only, however. We haven't found anything for X299 motherboards, which are also affected.

We’ve reached out to Supermicro, ECS, and Biostar as well, but have yet to receive a response.

  • damric
    No thank you
    Reply
  • lun471k
    Let's all have a thought for the poor people using Damric's computer.
    Reply
  • spdragoo
    20425517 said:
    No thank you

    ???

    "No thank you" = "I don't need to worry about this because my Intel CPU isn't on the list of affected CPUs"?

    "No thank you" = "I don't have to worry about this because I'm running an AMD-based machine"?

    Or (hopefully not) "No thank you" = "I don't care if they release an update or not, I'm just going to ignore it & hope it goes away"?
    Reply
  • AndyWiryaPeaceful
    What if I don't install Intel ME ever?
    Reply
  • nyc2pdx
    Does this affect iMacs with Kaby Lake i7's?
    Reply
  • damric
    No thank you. I do not use, nor need, nor install Intel ME, ever. And of course I would not let you near any of my computers. You aren't smart enough to be in the same room as my dog.
    Reply
  • none12345
    " I do not use, nor need, nor install Intel ME, ever"

    You do realize what it is right? Its a coprocessor that is embedded into the intel chips. You dont get a choice to install it or not install it. Its there no matter what you do.

    It can read and write memory without your os being aware that it has read or changed any data. It has complete access to your system. Security holes into the IME leave your system completely open to anything, and you should take them seriously.
    Reply
  • spdragoo
    20427101 said:
    What if I don't install Intel ME ever?

    20427159 said:
    Does this affect iMacs with Kaby Lake i7's?

    20427755 said:
    No thank you. I do not use, nor need, nor install Intel ME, ever. And of course I would not let you near any of my computers. You aren't smart enough to be in the same room as my dog.

    These are the things you must realize about Intel ME:

    ■ This is not merely some sort of software utility that you can choose whether to install or not. It is a physical subprocessor that is part of the Intel CPU (https://www.howtogeek.com/334013/intel-management-engine-explained-the-tiny-computer-inside-your-cpu/). That means that if you have one of the CPUs listed in the article, you already have Intel ME installed in your PC.■ As noted in both this article & the one on HowToGeek.com, this chip runs separately from your normal PC (including having full access to the data, TCP/IP connections, etc. on your PC), & can apparently even run when your PC is in Sleep mode or shut down (I would imagine the only way it won't run is if you completely pull the power plug on the PC). And right now, Intel not only offers no way to disable it or turn it off, but is actively resistant to revealing any method of turning it off (let alone details of what exactly it does).
    ■ Macs that have the associated Intel CPUs are also affected by this (https://apple.stackexchange.com/questions/306959/intel-management-engine-is-macos-vulnerable). Remember, this is installed by Intel (Intel, not Apple, manufactures the CPUs), & the chip runs its own Intel-designed firmware/OS that is not tied to the main OS (Windows, Linux, OS X, it doesn't matter).
    So, @damric, you don't have to worry about whether or not you'll be downloading Intel ME in the future...because if you have a Skylake/Kaby Lake/Coffee Lake CPU you've had it on your PC from day 1. And you're not going to be able to get rid of it...but you can patch the vulnerability.
    Reply
  • Darkbreeze
    I contacted Gigabyte about this and they said they were unaware of any intended updates to any of their Z170 or Z270 motherboards to address this. I also don't see any updated chipset drivers on the Intel website for the 100 series boards.

    I just got that reply back from Gigabyte today after inquiring on Friday, so I don't know who at Gigabyte is telling you they released them, but maybe they need to get on the same page as their technical support staff.
    Reply
  • shrapnel_indie
    20427159 said:
    Does this affect iMacs with Kaby Lake i7's?

    I would have to imagine Yes. The Linux version of the test *might* work as OS-X is Linux based. (I'd double check first before trying.)
    Reply