Serious Intel CPU security flaw affects millions and can't be fixed

Intel stickers
Intel stickers (Image credit: Windows Central)

What you need to know

  • It's been discovered that a security bug affecting many Intel systems is worse than initially thought.
  • The bug lies within the Converged Security and Management Engine, meaning it can't be fully fixed with software or firmware updates.
  • To fully fix the issue, people would have to replace the CPU of their device.

A security bug affecting many Intel systems is worse than previously thought. The bug affects the majority of Intel CPUs released in the last five years. The bug lies within the Converged Security and Management Engine (CSME), meaning it can't be fully fixed with software or firmware updates. Positve Technologies breaks down the bug and explains the risks that it potentially raises for PCs.

The issue leaves systems that are affected open to physical or local attacks. Mark Ermolov, the author of the report from Positive Technologies, says that the bug can be potentially exploited through local access, stating, "Some of them might require local access; others need physical access."

Because the issue is within the CSME, it can't be fixed without changing hardware. CSME is the "Root of Trust" for security on a platform. LaptopMag explains that "the system relies on it as a trusted source of cryptographic security," adding, "Because the flaw is in the bootROM of CSME it cannot be changed after manufacturing."

According to Positive Technologies, people that want to exploit this vulnerability will look to extract a hardware key which is used to encrypt the Chipset Key. That key is not platform-specific, meaning that a single key could be used for "an entire generation of Intel chipsets." Positive Technologies believes that extracting this key is "only a matter of time," adding "When this happens, utter chaos will reign. Hardware IDs will be forged, digital content will be extracted, and data from encrypted hard disks will be decrypted."

When ZDNet asked for a comment from Intel, Intel reaffirmed that the bug can only be exploited through physical access. It also urged people to apply the May 2019 updates.

CATEGORIES
Sean Endicott
News Writer and apps editor

Sean Endicott is a tech journalist at Windows Central, specializing in Windows, Microsoft software, AI, and PCs. He's covered major launches, from Windows 10 and 11 to the rise of AI tools like ChatGPT. Sean's journey began with the Lumia 740, leading to strong ties with app developers. Outside writing, he coaches American football, utilizing Microsoft services to manage his team. He studied broadcast journalism at Nottingham Trent University and is active on X @SeanEndicott_ and Threads @sean_endicott_. 

Latest in Intel
Intel research and development office in Matam business park in Haifa.
Intel stock soars almost 25% in one week after JD Vance' new comments on the chip maker's AI future, as the US and UK refuse to sign the Paris AI summit's regulation decree
The MSI Prestige 16 AI Evo (B2HMG) with Intel Core Ultra 9 285H inside.
Intel Core Ultra 9 285H review: Keeping up with AMD... Mostly
Intel Meteor Lake from Intel Technology Tour 2023 in Malaysia
Intel's financial crisis delays the development of mega fab factories in Poland and Germany despite heavy subsidies
Intel Meteor Lake from Intel Technology Tour 2023 in Malaysia
Intel's missed AI opportunity might prompt it to pump the brakes on its $32 billion Magdeburg project and sell Altera to keep the lights on
Lenovo LOQ 15IAX9I
Intel faces lawsuit and accusations of inflating its stock price by sharing 'materially false or misleading statements'
Arik Gihon on stage at Intel Tech Tour 2024 in Taipei speaking about Intel Xe2 GPU
Intel Xe2 GPU to deliver a HUGE graphics boost as "Battlemage" tech comes to next-gen Lunar Lake laptops and handhelds
Latest in News
Cloud servers
Microsoft has killed "several" data center projects in the U.S. and Europe, according to reports — Microsoft responds (Updated)
Photo of Microsoft's new sign-in page for Xbox.com using the Microsoft Edge browser.
Over one billion users will get a new Microsoft user experience, and it has a dark mode
The Thing: Remastered key art
The Thing comes to Xbox Cloud Gaming's "Stream Your Own Game" library alongside other new arrivals
Promotional screenshot of heroes fighting a giant in Pillars of Eternity
Obsidian's classic Baldur's Gate successor 'Pillars of Eternity' is getting a surprise turn-based mode later this year, alongside other updates
Atomfall
Atomfall reviews and Metacritic scores are in: Here's a roundup of what everyone's saying about this new Game Pass survival game
Screenshot of one of the new flat world presets in Minecraft.
Minecraft testing new flat world presets and a better way to locate your friends in-game