Gigabyte Issues BIOS Countermeasures for Intel Security Vulnerability

By Published November 21, 2017 at 3:37 pm

Gigabyte is releasing security updates for Intel motherboards making use of Intel ME (Management Engine) and TXE (Trusted Execution Engine). The first batch of updates will be for Z370 and 200-series boards, with older generations following. Gigabyte will be supplying patched BIOS versions as well as the latest Intel ME and TXE drivers on their website.

Gigabyte’s announcement follows a notice from the Intel Security Center about “security vulnerabilities that could potentially place impacted platforms at risk.” These vulnerabilities have to do with MINIX, a lightweight OS designed by educator Andrew Tanenbaum (as discussed in this week’s HW News), and its use in Intel’s ME. As reported by Tom’s Hardware earlier this month, a Google team led by software engineer Ron Minnich is responsible for uncovering MINIX’s role in the ME and expressing their concerns in a presentation bluntly titled “Replace your exploit-ridden firmware with a Linux kernel.”

The Intel ME is a complete OS running on dedicated hardware in Intel systems. It’s an inaccessible black box to users, inspiring paranoia that is in this case potentially justified. Prof. Tanenbaum himself, who was unaware until recently of Intel’s (completely legal) use of MINIX, ended his response with “Putting a possible spy in every computer is a terrible development.” He notes that MINIX, especially the older version Intel adopted, was designed more for education than security.

The publicity surrounding these discoveries prompted “an in-depth comprehensive security review,” which found that a successful attacker could do the following:

  • Impersonate the ME/SPS/TXE, thereby impacting local security feature attestation validity.
  • Load and execute arbitrary code outside the visibility of the user and operating system.
  • Cause a system crash or system instability.

These issues are now solved, according to Intel, but the security notice doesn’t make any specific mention of MINIX or whether it has been completely replaced.

- Patrick Lathan

We moderate comments on a ~24~48 hour cycle. There will be some delay after submitting a comment.

  VigLink badge