Intel Management Engine vulnerability: Microsoft it doesn’t affect Surface

Topic

New Reply

You may have heard about the Intel Management Engine security bugs. A spate of research, publicized in the past few weeks, has left a lot of people wo
[See the full post at: Intel Management Engine vulnerability: Microsoft it doesn’t affect Surface]

Reply | Quote

Replies

I think the main reason M$-Surface devices are not affected by the Intel ME/AMT/vPro bug is because they are mostly Wifi-only devices, ie they do not have Wired Ethernet network adapter cards. …
https://software.intel.com/en-us/articles/technical-considerations-for-intel-amt-in-a-wireless-environment

Reply | Quote

Quick, Somebody test the Surface despite Microsoft’s claim.

Reply | Quote

So of course the critical questions for me are:

1. Do I have the Intel Management Engine on my computer?

2. Do I need the Intel Management Engine on my computer?

3. What are the consequences of removing the Intel Management Engine from my computer?

and 4. How do I remove the Intel Management Engine from my computer?

Thank you.

Reply | Quote

Go to the computer manufacturer’s website and and find the specs for your PC. then go to the Intel website – they have an app you can download to see if you are vulnerable.

There is more information on this here.

3 users thanked author for this post.

rc primak, SueW, RamRod

Reply | Quote

This is the report from the Intel tool (SA-00086)

Tool Started 12/12/2017 4:12:31 PM
Name: DESKTOP-PDS3L34
Manufacturer: LENOVO
Model: 80R3
Processor Name: Intel(R) Core(TM) i5-6200U CPU @ 2.30GHzOS
Version: Microsoft Windows 10 Home
Status: This system is vulnerable.
Tool Stopped

I then went to the Lenovo site and tried to find my model. Near as I can tell Lenovo agrees that my system is vulnerable, but has no remedy as of today.

Great.

I repeat, do I even need this malware, er sorry, management software on my computer?

RamRod

Reply | Quote

Actually the ME is built into your hardware and there is no way to remove it.

Windows 10 Pro 22H2

Reply | Quote

The IME mentioned here is part of the BIOS or UEFI Firmware, which cannot be removed. Instead, go to the Intel site (for Intel builds) or the device manufacturer’s website, and download the latest BIOS Update or update for the UEFI Firmware. This worked on my Intel NUC (after two attempts, using different BIOS update methods). On my Intel tablet, it’s an ATOM processor, which is not vulnerable.

It may take up to a couple of weeks for all major manufacturers to provide firmware updates, so be patient if your efforts to find an update now fail. Chances are very slim that you will get hacked in the interim.

The actual firmware update is usually pretty fast and painless.

-- rc primak

Reply | Quote

Risk Assessment
Based on the analysis performed by this tool, this system is not vulnerable; the ME SKU is not affected.

Explanation:

If Vulnerable, contact your OEM for support and remediation of this system.
For more information, refer to CVE-2017-5689 in the following link: CVE-2017-5689
or the Intel security advisory Intel-SA-00075 in the following link: INTEL-SA-00075
INTEL-SA-00075 Detection Tool
Application Version: 1.0.3.215
Scan date: 2017-12-12 20:50:45
Host Computer Information
Name: SF-HAXOR
Manufacturer: Microsoft Corporation
Model: Surface Pro 4
Processor Name: Intel(R) Core(TM) i5-6300U CPU @ 2.40GHz
Windows Version: Microsoft Windows 10 Enterprise
ME Information
Version: 11.7.4.3330
SKU: Consumer
Provisioning Mode: Not Provisioned
Control Mode: None
Is CCM Disabled: True
Driver installation found: True
EHBC Enabled: False
LMS service state: NotPresent
microLMS service state: NotPresent
Is SPS: False

Edit to remove HTML.
Please convert to plain text before copy/paste

Reply | Quote

So you’re safe. Breathe easy and move on to the next Surface issue. There will be one, I assure you.

-- rc primak

Reply | Quote

I had an issue with Windows 10 not updating a feature update 1709. Its an old laptop. As a second device, it does the job. I can live without replacing it until it passes my use-by date.

Windows update reports the Intel Atom in my device is not supported. Fair enough. What’s not ‘fair enough’ is that Windows 10 kept trying to load the update then reporting after both download and installation the reason for the problem. Its a big update. It chewed a lot of bandwidth and CPU cycles failing nine times before I discovered the problem and hid the update last month… and again this month (two fails)! The obvious (and rhetorical) question is why does Windows check compatibility after download and attempt to install. The other  question would be why did the update unhide this month (rhetorical – I don’t expect an answer here).

To the point (which is a tenuous link to the thread, I know). The error message delivered about the lack of compatibility includes a link ‘for further information’. The link leads to a Microsoft advertisement for Surface. They have no shame!

Group A (but Telemetry disabled Tasks and Registry)
1) Dell Inspiron with Win 11 64 Home permanently in dock due to "sorry spares no longer made".
2) Dell Inspiron with Win 11 64 Home (substantial discount with Pro version available only at full price)

Reply | Quote

If you are using Window 10 version 1703, there has been introduced a flaw that ignores feature update settings and hidden updates. This may also why you are getting forced updates on an Atom based system. The other one reason I can think of is Microsoft was supposed to have created an Atom CPU block list, Windows 10 may also be ignoring that list.

Reply | Quote

Ha-ha!

Once again it pays off to be old and in the left-behind, “pre-generation” generation! 😀

Running a Core i7-930 on a X58 chipset… which btw. is so fast and powerful, that I’ve never bothered to even think of updating it.

Doubt it has ever run any hotter than ~38 degrees… even Silent Hunter 4’s 3D-mode can’t make it sweat… those, who know that game, knows.

Hmmm… Surface Pro? Never gonna happen here… in a phase slowly backing away from anything Microsoft related.

2 users thanked author for this post.

jelson, Bill C.

Reply | Quote

Well, in more modern Intel PCs it’s not like the firmware update is difficult or likely to cause hardware issues.

-- rc primak

Reply | Quote