Chipzilla patches firmware, drivers, SDKs
Hot on the heels of Patch Tuesday fixes from Microsoft, Apple, Adobe, and SAP, Intel has dropped its monthly security bundle to address a series of seven CVE-listed vulnerabilities in its firmware and software.
The most serious of the seven is the patch for CVE-2019-11162, a vulnerability in the Intel Compute Improvement Program software. This program is an opt-in diagnostic tool that collects detailed information about the hardware it's running on and less-detailed information about activities like type of sites browsed, applications used and what region of the world the computer is being used in.
According to Intel, one of the drivers in the tool is actually the source of the vulnerability, which while serious is not exploitable over the network, at least. It can be exploited by a bad user or malware already on a system to take control of the box via privilege escalation, or crash it or make it leak information.
"Insufficient access control in hardware abstraction in SEMA driver for Intel Computing Improvement Program before version 2.4.0.04733 may allow an authenticated user to potentially enable escalation of privilege, denial of service or information disclosure via local access," Chipzilla says in its summary of the flaw.
Users and admins are advised to update their software to version 2.4.0.04733 or later. Credit for the discovery was given to security researcher Jesse Michael.
Another diagnostic tool, the Intel Processor Identification Utility, was the host of CVE-2019-11163, a flaw that would allow a local ..