Ikhowudi ye-BIOS ye-hardware ye-Intel Alder Lake iprosesa yathunyelwa kwi-4chan
Kwiintsuku ezimbalwa ezidlulileyo kwi-net iindaba malunga nokuvuza kwekhowudi ye-Alder Lake UFEI zikhutshiwe ukusuka kwi-Intel kwi-4chan kwaye ikopi yapapashwa kamva kwi-GitHub.
Malunga netyala I-Intel, ayizange ifake isicelo ngoko nangoko, kodwa ngoku iqinisekise ubunyani ukusuka kwi-UEFI kunye neekhowudi ze-firmware ze-BIOS ezifakwe ngumntu ongaziwayo kwi-GitHub. Iyonke, i-5,8 GB yekhowudi, izinto eziluncedo, amaxwebhu, iiblobhu, kunye nolungelelwaniso olunxulumene nokusekwa kwe-firmware iye yapapashwa kwiinkqubo ezineprosesa ezisekwe kwi-Alder Lake microarchitecture, ekhutshwe ngoNovemba ka-2021.
I-Intel ikhankanya ukuba iifayile ezinxulumene nazo ziye zajikeleza iintsuku ezimbalwa kwaye ngenxa yoko iindaba ziqinisekiswa ngokuthe ngqo kwi-Intel, echaza ukuba inqwenela ukubonisa ukuba lo mbandela awuthethi umngcipheko omtsha wokhuseleko lwe-chips kunye ne iinkqubo ezisetyenziswayo, ngoko ke ibiza ukuba ungothuki malunga netyala.
Ngokutsho kwe-Intel, ukuvuza kwenzeka ngenxa yomntu wesithathu kwaye hayi ngenxa yokuthotyelwa kweziseko ezingundoqo zenkampani.
"Ikhowudi yethu ye-UEFI yobunikazi ibonakala ngathi ikhutshwe ngumntu wesithathu. Asikholelwa ukuba oku kuya kuveza nabuphi na ubuthathaka obutsha bokhuseleko, njengoko singathembeli kulwazi lwe-obfuscation njengenyathelo lokhuseleko. Le khowudi igutyungelwe yinkqubo yethu ye-bug bounty ngaphakathi kweProjekthi yeCircuit Breaker, kwaye sikhuthaza nawuphi na umphandi onokuchonga ubuthathaka obunokubakho ukuze azise ingqalelo yethu ngale nkqubo. Sifikelela kubo bobabini abathengi kunye noluntu lophando ngokhuseleko ukubagcina benolwazi malunga nale meko. " -Isithethi seIntel.
Ngaloo ndlela akuchazwanga ukuba ngubani kanye owaba ngumthombo wokuvuza (ekubeni umzekelo abavelisi bezixhobo ze-OEM kunye neenkampani eziphuhlisa i-firmware yesiko babenokufikelela kwizixhobo zokuqulunqa i-firmware).
Malunga netyala, kukhankanyiwe ukuba uhlalutyo lomxholo wefayile epapashwe luveze ezinye iimvavanyo kunye neenkonzo ngqo yeemveliso zeLenovo ("Lenovo Feature Tag Test Information Information", "Lenovo String Service", "Lenovo Secure Suite", "Lenovo Cloud Service"), kodwa ukubandakanyeka kukaLenovo ekuvuzeni kukwaveze izinto eziluncedo kunye namathala eencwadi avela kwiSoftware ye-Insyde, ephuhlisa i-firmware ye-OEMs, kunye i-git log iqulethe i-imeyile evela omnye wabasebenzi be Iziko lekamva leLC, evelisa iilaptops zeeOEM ezahlukeneyo.
Ngokutsho kwe-Intel, ikhowudi eye yangena ekufikeleleni okuvulekileyo ayinayo idatha ebucayi okanye amacandelo anokuba negalelo ekubhengezweni kobuthathaka obutsha. Kwangaxeshanye, uMark Yermolov, ojongene nokuphanda ukhuseleko lweqonga le-Intel, ubhengeze kwiinkcukacha zefayile ezipapashiweyo malunga neelogi ze-MSR ezingabhalwanga (iilogi ezikhethekileyo, ezisetyenziselwa ukulawula i-microcode, ukulandelela kunye nokulungiswa kweempazamo), ulwazi oluwela phantsi. isivumelwano sokungagcinwa kwemfihlo.
Kwakhona, iqhosha labucala lifunyenwe kwifayile, esetyenziselwa ukusayina i-firmware yedijithali, que inokusetyenziswa ukugqitha ukhuseleko lwe-Intel Boot Guard (Isitshixo asikaqinisekiswanga ukuba siyasebenza, inokuba sisitshixo sovavanyo.)
Kwakhona kukhankanyiwe ukuba ikhowudi eyangena ekungeneni okuvulekileyo igubungela inkqubo yeProjekthi yeCircuit Breaker, ebandakanya ukuhlawulwa kwemivuzo ukusuka kwi-$ 500 ukuya kwi-$ 100,000 yokuchonga iingxaki zokhuseleko kwiimveliso ze-firmware kunye ne-Intel (kuqondwa ukuba abaphandi banokufumana umvuzo wokunika ingxelo. ubuthathaka obufunyenwe ngokusebenzisa imixholo yokuvuza).
"Le khowudi igutyungelwe yinkqubo yethu ye-bug bounty ngaphakathi kwephulo leProjekthi ye-Circuit Breaker, kwaye sikhuthaza nawuphi na umphandi onokuchonga ubuthathaka obunokubakho ukuba asixelele ngale nkqubo," wongeze watsho u-Intel.
Okokugqibela, kufanelekile ukukhankanya ukuba malunga nokuvuza kwedatha, olona tshintsho lwamva nje kwikhowudi epapashiweyo lungoSeptemba 30, 2022, ngoko ke ulwazi olukhutshiweyo luhlaziywa.