Intel patches flaw in driver update utility that left users open to attacks
21 January 2016 |
Intel has fixed a vulnerability in a driver utility tool that could have left users exposed to man-in-the-middle attacks, according to reports.
The update to Intel Driver Update Utility “helps mitigate the use of a non-SSL URL” when requesting updates from the firm, a security advisory said.
Versions 2.0 to 2.3 of the software put users at risk because they use an unencrypted connection that could have allowed hackers to hit users with malware.
The new version of the software – 2.4 – uses a secure SSL connection to contact Intel’s servers.
The vulnerability was disclosed to Intel by Core Security, which said the flaw “could result in integrity corruption of the transferred data, information leak and consequently code execution.”
It was reported in November and the new update was released on Tuesday.
This month it was also revealed that the smartphone-controlled BB-8 toy, based on the character from Star Wars: The Force Awakens, was vulnerable to a similar attack.
The device received firmware updates over an unencrypted HTTP connection instead of a secure SSL connection, according to Pen Test Partners.
Manufacturer Sphero promised updates were on the way to improve security.
For more on this week’s update to the Intel Driver Update Utility, see the Intel website.