Slashdot Mirror

← Back to Stories (view on slashdot.org)

Serious Flaw Patched In Intel Driver Update Utility (csoonline.com)

Posted by samzenpus on from the problem-protein dept.

itwbennett writes: The flaw in a utility that helps users download the latest drivers for their Intel hardware components stems from the tool using unencrypted HTTP connections to check for driver updates. It was discovered by researchers from Core Security and was reported to Intel in November. The Core Security researchers found that the utility was checking for new driver versions by downloading XML files from Intel's website over HTTP. These files included the IDs of hardware components, the latest driver versions available for them and the corresponding download URLs. Intel Driver Update Utility users are strongly advised to download the latest version from Intel's support website.

4 of 34 comments (clear)

  1. Good thing no one buys security from Intel by xxxJonBoyxxx · · Score: 4, Funny

    >> Intel uses unencrypted HTTP connections to check for driver updates.

    What a bunch of dumbasses! It's a good thing no one buys security from Intel!

    >> http://www.intelsecurity.com/
    >> http://www.intel.com/content/w...

    (quits laughing, starts crying)

  2. Re:This is "Serious"? by The-Ixian · · Score: 3, Informative

    More like someone could easily MITM an unencrypted HTTP stream and redirect the user to a different download.... then, when the person executes the malicious payload.... bam! cryptowall!

    --
    My eyes reflect the stars and a smile lights up my face.
  3. Re:Driver update utilities by gstoddart · · Score: 2

    Who on Earth savvy enough to update drivers uses a black box utility to download and install low level pieces of software (that require admin privs to install) like this?

    So, how many people have computers? How many of them are savvy enough to update drivers beyond what the computer tells them to do? How many laptops etc come with those "helpful" OEM turds designed to do this for you?

    Computers are magical, spooky things beyond the comprehension of mere mortals .. they don't want to know such things. My in-laws sure don't. They just want to sync the camera and print some stuff.

    Admin privs? Really? Do you know how many people disable UAC and run as a user with admin perms?

    Why are you surprised people want this?

    What's appalling is just how lazy and incompetent almost every company is about security. These are marketing features, slapped together and pushed out the door. Nobody gives a crap about security, because they have no consequences for not giving a crap about security.

    --
    Lost at C:>. Found at C.
  4. Re: Perhaps by ZeroWaiteState · · Score: 2

    The problem isn't that Intel driver files are secret. The problem is HTTP can't ensure the XML file that tells where to download hasn't been changed in transit. Most likely this was done in order to be proxy friendly. The downside is you get pwned if Satan is your proxy.