[resoluteteeth]

The article implies that they have been privately trying to get Intel to fix it, so there is no reason it would have been mentioned publicly anywhere.

Now a patch is coming out but Intel is still trying to keep it quiet, so he's trying to warn people disable AMT and be ready to apply patches ASAP.

Presumably he didn't even want to disclose the existence of the vulnerability publicly until there was some sort of fix, and he still won't want to disclose details before the fix is released.

Of course, you can doubt the veracity of this story, but I'm just pointing out that there would be no reason to expect details, cross references, or mentions on Google or security lists yet if it is true.

[tomku]

If Charlie was a security researcher and SemiAccurate was a well-regarded security firm, I would not expect details or cross-references or mentions on security lists. Charlie is not a security researcher, he's a journalist, and SemiAccurate is the tech equivalent of a supermarket tabloid. He is not a credible primary source for anything security-related, particularly given SemiAccurate's reputation for publishing rumors as facts.

None of that means he's necessarily wrong, just that you should be very careful about believing his claims without supporting evidence. A lot of people here on HN have thought that a remote ME exploit was only a matter of time, so an article claiming to validate that belief will not get as much skepticism as it should.

[i336_]

FWIW, Intel published this: https://security-center.intel.com/advisory.aspx?intelid=INTE...

[ajdlinux]

It does seem suspicious to me that this hugely critical flaw deep in the firmware stack has been discovered by the writing staff of a tech news website rather than an infosec research team...

[tyingq]

The article sort of reads like he has thought (not known) there was an issue for a long time.

Then, he saw that Intel released a patch related to the management engine, and took that as confirmation? Maybe he has access to the release notes via a source at an OEM?

[Natanael_L]

He got the affected version numbers exactly right, but according to Intel he got the affected hardware wrong (consumer hardware unaffected).

That tells me he got the information from an unmentioned source. If he had the details himself he would be able to confirm what hardware it is present on by testing it.

The explanation for that error code be that the source have been vague about it or not tested it on a lot of hardware, or isn't even a firsthand source, or that the journalist misunderstood it.

https://security-center.intel.com/advisory.aspx?intelid=INTE...

[tyingq]

Ah. To be fair, that intel.com link is confusing, because it sends you off to see if you have "Intel® vPro", which is certainly on consumer hardware, like various i5 and i7 systems. Which does not jive with the earlier line "This vulnerability does not exist on Intel-based consumer PCs". It sort of depends on your definition of consumer hardware.

Overall, though, it does seem to validate the sequence was something like "he had a suspicion" then "intel released an update".

[throwaway91111]

Is there any way to avoid the patch and reverse engineer it to "root" ME and cripple it?

I'd guess this would be a lot of interest for "hacker" news; i want to sign my own damn firmware.

[milcron]

Yes, but we've only figured out how to do that for old hardware.

Check out https://libreboot.org/docs/hardware/gm45_remove_me.html