Slashdot Mirror

← Back to Stories (view on slashdot.org)

Serious Flaw Patched In Intel Driver Update Utility (csoonline.com)

Posted by samzenpus on from the problem-protein dept.

itwbennett writes: The flaw in a utility that helps users download the latest drivers for their Intel hardware components stems from the tool using unencrypted HTTP connections to check for driver updates. It was discovered by researchers from Core Security and was reported to Intel in November. The Core Security researchers found that the utility was checking for new driver versions by downloading XML files from Intel's website over HTTP. These files included the IDs of hardware components, the latest driver versions available for them and the corresponding download URLs. Intel Driver Update Utility users are strongly advised to download the latest version from Intel's support website.

34 comments

  1. Good thing no one buys security from Intel by xxxJonBoyxxx · · Score: 4, Funny

    >> Intel uses unencrypted HTTP connections to check for driver updates.

    What a bunch of dumbasses! It's a good thing no one buys security from Intel!

    >> http://www.intelsecurity.com/
    >> http://www.intel.com/content/w...

    (quits laughing, starts crying)

    1. Re:Good thing no one buys security from Intel by ZeRu · · Score: 1

      Now, if they only would fix the "Intel RST service is not running" bug that I've been experiencing for months...

      --
      If you post as an AC, don't expect me to spend a mod point on you.
  2. This is "Serious"? by Anonymous Coward · · Score: 1, Funny

    So, someone can see what hardware components you have. Scary stuff.

    1. Re:This is "Serious"? by The-Ixian · · Score: 3, Informative

      More like someone could easily MITM an unencrypted HTTP stream and redirect the user to a different download.... then, when the person executes the malicious payload.... bam! cryptowall!

      --
      My eyes reflect the stars and a smile lights up my face.
    2. Re:This is "Serious"? by Anonymous Coward · · Score: 0

      Someone in the slashdot staff is getting paid by CSO to promote their crappy uninteresting articles... there's a bunch of more interesting stuff in the submissions channel, but they keep promoting the CSO stuff each day

    3. Re:This is "Serious"? by Anonymous Coward · · Score: 0

      scary how dumb you are, lady.

    4. Re:This is "Serious"? by Anonymous Coward · · Score: 0

      While that is possible, the number of attacks that happen via MITM are few. These sorts of things are generally nation state attacks due to the complexity required to pull it off without impacting other users negatively.

      If you sat in your local coffee shop and arp poisoned people for a long while, you probably wouldn't get anyone updating drivers via this app.

      In short, this is blogspam.

    5. Re:This is "Serious"? by gcnaddict · · Score: 1

      The tool isn't enforcing code signatures? That's infinitely scarier... that's what you're suggesting, yes?

      --
      Viable Slashdot alternatives: https://pipedot.org/ and http://soylentnews.org/
    6. Re:This is "Serious"? by The-Ixian · · Score: 1

      I disagree.

      I think that attackers are increasingly sophisticated.

      All you would need to do is set up an open wifi hotspot, have someone connect to it, and inject some kind of message that they need to update their driver software and then link/redirect to the legit Intel web site. The user doesn't even have to be fooled, they are downloading a genuine Intel software product.

      Then, when they go to update their driver, the MITM captures the XML and puts their own links in.

      --
      My eyes reflect the stars and a smile lights up my face.
    7. Re:This is "Serious"? by Anonymous Coward · · Score: 0

      With MITM you can transparently intercept a TLS connection as well.

    8. Re:This is "Serious"? by Anonymous Coward · · Score: 0

      That's still a substantial amount of effort and requires putting a physical asset in play or owning a hotspot somewhere with enough support so that you can do MITM. You then have to rely on social engineering to get the user to run the update via the driver update utility. It's not sophistication, it's effort.

      Yes, it will work a guaranteed percentage of the time, but given the investment required it isn't worth it.

      There have been plenty of these sorts of vulns made public over the last few years and they are not among the top exploited vuln each year.

    9. Re:This is "Serious"? by KingMotley · · Score: 1

      Or you could send them via email a link to a cat video that they need to run badprogram.exe to install the kitty codec to watch it.

  3. Not a big deal. by Anonymous Coward · · Score: 0

    As long as there isn't sensitive information being transmitted, this really isn't a big deal. Pinging a server for the latest driver version is a harmless task and as long as you aren't already the victim of the MITM attack really shouldn't pose any significant threat.

  4. Driver update utilities by The-Ixian · · Score: 1

    I mean... it's like the oldest malware install vector of all time... download this driver update utility! We will abstract away that awful task of identifying your hardware and downloading software....

    Who on Earth savvy enough to update drivers uses a black box utility to download and install low level pieces of software (that require admin privs to install) like this?

    --
    My eyes reflect the stars and a smile lights up my face.
    1. Re:Driver update utilities by gstoddart · · Score: 2

      Who on Earth savvy enough to update drivers uses a black box utility to download and install low level pieces of software (that require admin privs to install) like this?

      So, how many people have computers? How many of them are savvy enough to update drivers beyond what the computer tells them to do? How many laptops etc come with those "helpful" OEM turds designed to do this for you?

      Computers are magical, spooky things beyond the comprehension of mere mortals .. they don't want to know such things. My in-laws sure don't. They just want to sync the camera and print some stuff.

      Admin privs? Really? Do you know how many people disable UAC and run as a user with admin perms?

      Why are you surprised people want this?

      What's appalling is just how lazy and incompetent almost every company is about security. These are marketing features, slapped together and pushed out the door. Nobody gives a crap about security, because they have no consequences for not giving a crap about security.

      --
      Lost at C:>. Found at C.
    2. Re: Driver update utilities by ZeroWaiteState · · Score: 1

      Their update utilities often come preloaded on OEM machine images.

    3. Re:Driver update utilities by The-Ixian · · Score: 1

      I guess my point is, if you know that you need to update a driver AND you have made it to the manufacturer web site to download the driver AND you have navigated to the driver download page where the updater is likely to live anyway, how much extra work is it to just find the driver directly?

      --
      My eyes reflect the stars and a smile lights up my face.
    4. Re: Driver update utilities by The-Ixian · · Score: 1

      Fair enough.

      I was thinking of driver update utilities that are pushed from the manufacturer's driver download web page.

      I mean, you've already gotten that far and done about 85% of the work (identifying the hardware, finding the manufacturer web site, navigating to the download section) and NOW is when you get the "easy mode" option.... just click 2 or 3 more times and get the driver directly.

      --
      My eyes reflect the stars and a smile lights up my face.
    5. Re:Driver update utilities by reg · · Score: 1

      Every smart admin out there... I just wish that Windows Update covered more software and hardware, so windows machines only needed one update utility like Linux boxes... Macs are a little better, especially for things that have migrated into the app store.

      Regards,
      -Jeremy

    6. Re:Driver update utilities by MerlynEmrys67 · · Score: 1

      Not quite... The damned utilities are installed by the OEM as a part of the driver suite from the manufacturer (Yes, pretty much all manufacturers leave a turd like this running in the background). Utility tells you that there is an updated file to install, please click Install...

      --
      I have mod points and I am not afraid to use them
    7. Re:Driver update utilities by gstoddart · · Score: 1

      See, for so many people, unless a popup comes up, says you need an updated driver, and guides them through the process ... this is exactly what won't happen. They don't know a damned thing about this.

      Are you so utterly out of touch with non-technical people to not grasp that these people aren't going gee, I need to update my driver so I should hop on over to the manufacturer website and find it? They're going "ZOMG, kittens!" They don't even know (or care) what a driver is.

      Honestly, do you now know any non-technical people? Because the first bunch of steps in this process simply don't happen.

      --
      Lost at C:>. Found at C.
  5. Intel by Anonymous Coward · · Score: 1

    I hate that damn utility. It was so much better when Intel had a drop down menu on their website that allowed users to simply select the drivers they needed. Now all the user can do is try to search for a driver and hope they get the right one, or use that crappy utility. Nice going Intel. :-/

  6. I'm not worried by Anonymous Coward · · Score: 0

    I just updated it through the driver update utility! I wish they didn't add these toolbars to it though.

  7. That tool does not even work that well by Joe_Dragon · · Score: 1

    That tool does not even work that well on boards with Intel chip sets often times it says no drivers even on high end boards with the latest chipsets.

  8. Perhaps by s.petry · · Score: 1

    I have no problem with certain types of content being unencrypted. If it's static and does nothing the http protocol "should" be fine (depending on the app using the content). I also have no problem with people having a port80 listener redirecting to port443. People are too lazy to type in a URL, let alone "https://".

    I didn't look at either of those links to investigate if the above scenarios are present. I have seen people say "Ugh, http needs to die" to any discussions regarding HTTP and HTTPS protocol (more lately for some reason).

    --

    -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

    1. Re: Perhaps by ZeroWaiteState · · Score: 2

      The problem isn't that Intel driver files are secret. The problem is HTTP can't ensure the XML file that tells where to download hasn't been changed in transit. Most likely this was done in order to be proxy friendly. The downside is you get pwned if Satan is your proxy.

    2. Re:Perhaps by cheater512 · · Score: 1

      You forget that SSL provides two benefits, not one.

      1. No one can intercept the communication and read the messages. No one cares for driver updates so yep you would be perfectly safe letting everyone on your network read the driver files.

      2. It proves that you are talking to who you think you are talking to. This is the bit you miss - for important system files that are executable, it's kinda important to make sure you get them from the legitimate source.
      As it stands if you go to a coffee shop, anyone else there could tell your computer that there is a critical driver update coming from a malware server and your computer would happily download it.

    3. Re: Perhaps by s.petry · · Score: 1

      You just reinforced what I said. The problem is not that HTTP is being used, it's that the client is trying to do everything through HTTP and the XML parsing does no validation. This is a client problem, not a protocol problem.

      --

      -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

  9. Flaw in Intel's software process by MerlynEmrys67 · · Score: 1
    So having worked at Intel in software for many years - there is a fundamental flaw. Each group inside Intel hires a "installer guy" that is responsible for installing and updating their component. Get enough Intel hardware/software on your system and you will see 3 or 4 of these utilities running - each with their own little flaws.

    What I would have expected in an Intel update tool that each group would plug into and get updates handled. Then instead of the 15-20 people working on Installers at Intel, each making their own flawed implementation, you would have 5-10 people at Intel working on an awesome installer with the rest being used to make products better.

    Never happen in their org. though

    --
    I have mod points and I am not afraid to use them
  10. Proper URL by Anonymous Coward · · Score: 0

    Let's skip the CSO mumbo-jumbo... Here's the proper link: http://www.coresecurity.com/ad...

  11. Tip of the iceberg by nuckfuts · · Score: 1
    FTA:

    The tool was designed to check that the download URLs pointed to files hosted under the intel.com domain name. However, man-in-the-middle attackers would have been able to both modify the XML files in transit and to bypass the tool's domain check by using techniques such as ARP poisoning and DNS spoofing.

    If you have someone doing ARP poisoning on your LAN and hijacking your DNS, you have a hell of a lot bigger problem than the issue with Intel's update utility.

  12. windows 10 does but in a forced way by Joe_Dragon · · Score: 1

    windows 10 does but in a forced way even in times where it fights with nvidia / ati tools as well.

  13. I knew there was something wrong by Ilgaz · · Score: 1

    That junk was absolutely outsourced and coded by some "trendy" team, it was NEVER tested on the most common Intel graphics displays such as 1366*768 (ultrabooks) nor 1280*720 (old HDTV). How do I know? Well, it doesn't display properly with large font setting of Windows.

    It also installs documented, opt in but very alerting piece of data mining software running as administrator.