New warnings claim that pretty much every Intel processor released in the last five years has a security flaw baked into the silicon which cant actually be fixed as such, although the chip maker has already implemented mitigations.
Security firm Positive Technologies found that Intels mitigations (enacted since the initial bug was first discovered in May 2019) might not be sufficient to fully protect a PC from an attack.
The more positive news (pun not intended) is that the vulnerability, which is present in Intels Converged Security and Management Engine (CSME) a subsystem inside the CPU which takes care of all manner of important security duties, right from pushing the power button is not trivial to exploit. In fact its a tricky matter to do so.
Intel first described the security flaw as: Insufficient access control vulnerability in subsystem for [CSME versions] may allow an unauthenticated user to potentially enable escalation of privilege via physical access.
So in other words, you need physical access (or local access, potentially in some cases, Positive Technologies qualifies) to the machine to attempt to leverage the vulnerability, which coupled with the sophisticated nature of the attack, makes this a difficult exploit to pull off.
But its still a worrying state of affairs when theres apparently a security flaw directly in the silicon which isnt fixable, as it cant be patched via a firmware update.
Positive Technologies observes that this is because the problem is present in the very early stages of the subsystems [CSMEs] operation, in its boot ROM, and that its impossible to fix firmware errors that are hard-coded in the mask ROM.
The security firm further notes that Intel has said its already aware of the issues here, and understands that it cannot fix the vulnerability in the ROM, so instead its attempting to patch all possible attack vectors. But mitigating against every conceivable exploit could obviously be a difficult process.
Positive Technologies warned: This vulnerability jeopardizes everything Intel has done to build the root of trust and lay a solid security foundation on the companys platforms The larger worry is that, because this vulnerability allows a compromise at the hardware level, it destroys the chain of trust for the platform as a whole.
In short, its another blow to Intels reputation on the security front, which it can ill afford given the huge amount of ground AMD is gaining with its Ryzen offerings.