Significant Security Flaw Discovered in Intel Driver Software

A major security flaw has been discovered by Intel in its driver utility tool that could potentially allow a malicious attacker to install malware, remotely.

Intel has now fixed a significant vulnerability in the all too important driver utility tool used by millions of end users.

A security advisory by the prominent chipmaker has admitted that several versions of the utility tool put PCs at risk due to the unencrypted SSL connection they use to connect with Intel’s servers. The situation gives rise to the possibility of a man-in-the-middle attack on the software by an attacker who would be able to manipulate the driver software to download unwanted malicious files instead.

An independent security firm called Core Security made the discovery and privately notified Intel of the flaw back in November 2015. Subsequently, the security firm also posted the details of the flaw on the widely known Full Disclosure mailing list.

The description of the vulnerability from Core Security read:

Intel Driver Update Utility is prone to a Man in The Middle attack which could result in integrity corruption of the transferred data, information leak and consequently code execution.

In its advisory, Core Security revealed that it reached out to Intel twice over the span of a fortnight before another notification to Intel’s Product manager over a month later, before eventually getting a response. A draft was requested by Intel in plain text despite Core Security’s offer for encrypted communication. Four days later, Intel responded to the security company to confirm that a new version was being worked on, confirming the vulnerability.

A tentative release date was set toward January 15th before the two companies agreed to release the update on January 19.

As things stand, the impacted software versions include 2.0, 2.1, 2.2 and 2.3. The updated software version that fixes the vulnerability with a patch is version 2.4.

Intel ‘highly’ recommends that all customers using the mentioned versions of the software update to the newest version through the following link here.

The fix was entirely necessary, as Core Security deemed the flaw could have been exploited easily noting the tool’s verification could be “easily bypassed.”

Image credit: Pixabay.