alexb_

A lot of their claims sound very scary but I don't really know what to make of this as an average user. Is there an explanation to what this stuff means for me? What security vulnerabilities does this allow for on Intel CPUs? Are they worth worrying about? On a scale of "minor bug" to "every single intel chip is easily able to run arbitrary code and is vulnerable on a hardware level" how bad is this exactly?

Jon_Lowtek
> How bad is this exactly?

7.1 out of 10

https://www.intel.com/content/www/us/en/security-center/advi...

This was part of IPU 2021.2 in November and other bugs in other CPUs were fixed as well, one rated 8.2 affecting many, but not all, intel cpus (intel-sa-00562). If you haven't updated your UEFI/BIOS since last November and you love to run untrusted code by untrusted third parties on your CPU, the larger story about microcode bugs and privilege escalation into the management engine is bad and best fixed keeping up to date with microcode updates.

Please note that the IPU 2021.2 fixes are not runtime loadable: https://github.com/intel/Intel-Linux-Processor-Microcode-Dat... and require an UEFI/BIOS update.

The concrete story is mostly about a problem with the Atom line, which allowed code execution in the IME and a full dump of it. Very interesting for nerds that want to hack into that for reasons of taking ownership of what they bought, less interesting for malware, but not irrelevant. The link is about the Chip Red Pill Team giving a talk about how they broke the Atom and what intel hides inside.

It is a good talk by people who have years of experience cracking open Intels chips. I can recommend it to anyone who cares about that.

From a news perspective however it is three month old, if we ignore the zero nights russia talk in September ;-)