Recommended reading

Intel reports wave of high-severity GPU vulnerabilities — ten unique security vulnerabilities stemming from poor software hit range of graphics solutions

News
By published

While patched, the bugs point to another weak point in Intel's operation

Intel
(Image credit: Intel)

Everyone with any Intel graphics solution should be sure to update their drivers this week—the tech giant just announced ten new security vulnerabilities affecting a wide range of its GPU drivers and software. Nearly every Intel GPU or integrated graphics going back to the 6th generation of Core processors is affected by one or more of these vulnerabilities, which can be addressed by updating to the latest Intel graphics drivers.

The laundry list of vulnerabilities coming from Team Blue all require local access to take advantage of, greatly downgrading their importance to the average user. As the saying goes, if a hostile attacker has local access to your system, you have bigger things to worry about than side-channel attacks. But a group of vulnerabilities affecting Intel's entire graphics operation, going back to Skylake CPUs, is no laughing matter.

"Improper access control" for graphics software and drivers is the most serious repeat offender on the list. The vulnerabilities allow for escalation of privilege, denial of service, and information disclosure attacks. The integrated graphics software of every consumer CPU release since 6th-gen Intel Core, all Iris Xe and Arc GPUs, and Intel Data Center GPU Flex 140/170 GPUs are affected by one or more vulnerabilities and should be updated to the most recent drivers. Every user using drivers released after October 2024 is already protected from the vulnerabilities.

This great wave of security holes immediately follows another Intel security event. Earlier this week, researchers at ETH Zurich found a new way around Intel's fixes for the data-leaking Spectre v2 vulnerability, prompting its own round of advisories and fixes from Team Blue. Intel's CPU architecture is consistently plagued by side-channel and branch prediction attacks like Spectre, with its hardware and software fixes prone to being maneuvered around.

The CPU vulnerability discovered by Zurich also affected a wide swath of Intel CPUs, though the attack also requires local access and, according to Intel, has no real-world applications yet discovered. Intel advises anyone with an affected CPU to consult their system manufacturer for BIOS or microcode updates.

Intel's software weaknesses seem like a perennial issue for the tech giant, yet another problem weighing on the company in danger. Intel recently announced that its Intel Foundry program is not expected to break even until 2027, another issue for the company which has had multiple waves of layoffs this year. Intel's future is uncertain, making its proclivity for security flaws and vulnerabilities all the more serious.

Follow Tom's Hardware on Google News to get our up-to-date news, analysis, and reviews in your feeds. Make sure to click the Follow button.

See more GPUs News
TOPICS
Dallin Grimm
Dallin Grimm
Contributing Writer

Dallin Grimm is a contributing writer for Tom's Hardware. He has been building and breaking computers since 2017, serving as the resident youngster at Tom's. From APUs to RGB, Dallin has a handle on all the latest tech news. 

10 Comments Comment from the forums
  • ThisIsMe
    You guys already post at least one over-hyped, negative article about Intel every day. Is it really necessary to add a recap of every one of them to every one of them? Is it a requirement for you all to append this summary? Is there a word count requirement? Do you guys get paid per word?

    Maybe I’m in the minority, but please just post the facts. Here’s the tl;dr

    Intel posted some security vulnerability notices. They’ve been patched for at least 7 months now. Be sure to update drivers if you haven’t yet.
    Reply
  • TerryLaze
    ThisIsMe said:
    You guys already post at least one over-hyped, negative article about Intel every day. Is it really necessary to add a recap of every one of them to every one of them? Is it a requirement for you all to append this summary? Is there a word count requirement? Do you guys get paid per word?

    Maybe I’m in the minority, but please just post the facts. Here’s the tl;dr

    Intel posted some security vulnerability notices. They’ve been patched for at least 7 months now. Be sure to update drivers if you haven’t yet.
    click through rate
    Google what it means.
    Reply
  • Amdlova
    ThisIsMe said:
    You guys already post at least one over-hyped, negative article about Intel every day. Is it really necessary to add a recap of every one of them to every one of them? Is it a requirement for you all to append this summary? Is there a word count requirement? Do you guys get paid per word?

    Maybe I’m in the minority, but please just post the facts. Here’s the tl;dr

    Intel posted some security vulnerability notices. They’ve been patched for at least 7 months now. Be sure to update drivers if you haven’t yet.
    We like to read how intel fail everytime :)
    Reply
  • rluker5
    Not everyone is affected. Current gen products like Arrow Lake and Battlemage dGPUs came out after these vulnerabilities were patched. So they are not new vulnerabilities in the sense that the current generation is, but they are new compared to hills and rivers and things.

    It wouldn't sound as urgent if they put it in that perspective. I vaguely remember thinking a long time back that it was nice that my Broadwell was just old enough to be immune and recently I learned that it is just new enough to still be supported by Windows 10. At least while W10 is.

    Edit: Maybe Tom's could include the current list of ignored, unpatched vulnerabilities that AMD has in AMD articles instead of showing an intel chip in an article about a new vulnerability class specific to AMD that they tried to pass off as affecting all chips. : https://promohunters.info/pc-components/cpus/worlds-first-cpu-level-ransomware-can-bypass-every-freaking-traditional-technology-we-have-out-there-new-firmware-based-attacks-could-usher-in-new-era-of-unavoidable-ransomware#xenforo-comments-3879481
    Reply
  • nogaard777
    Admin said:
    Intel has reported ten new GPU-related security vulnerabilities affecting drivers and graphics control software across a range of its GPU offerings this week. The announcement immediately follows announcements of a Spectre workaround from ETH Zurich.

    Intel reports wave of high-severity GPU vulnerabilities — ten unique security vulnerabilities stemming from poor software hit range of graphics sol... : Read more
    If Tom's didn't have a constant flow of click bait articles claiming Intel's demise they'd have no content at all. I sure don't remember this level of doom and gloom when AMD recently had a vulnerability that effects every CPU they've made for over half a decade. But that's AMD, and Tom's doesn't do negative AMD click bait
    Reply
  • Amdlova
    Some new's about AMD

    https://promohunters.info/pc-components/cpus/amds-microcode-vulnerability-also-affects-zen-5-cpus-granite-ridge-turin-ryzen-ai-300-and-fire-range-at-risk%3Cbr%3E https://promohunters.info/news/amd-inception-vulnerability-affects-zen-3-and-4%3Cbr%3E https://promohunters.info/pc-components/cpus/amd-wont-patch-all-chips-affected-by-severe-data-theft-vulnerability-ryzen-1000-2000-and-3000-will-not-get-patched-among-others%3Cbr%3E https://promohunters.info/pc-components/cpus/amd-patches-a-critical-microcode-vulnerability-affecting-zen-1-to-zen-4-epyc-cpus%3Cbr%3E https://promohunters.info/pc-components/motherboards/amd-finally-patches-gaping-zenbleed-security-hole-msi-releases-agesa-120ca-bios-update-for-zen-2%3Cbr%3E https://promohunters.info/news/amd-cachewarp-vulnerability-afflicts-epyc-server-cpus%3Cbr%3E https://promohunters.info/news/steam-deck-gets-belated-linux-zenbleed-vulnerability-patch%3Cbr%3E https://promohunters.info/tech-industry/cyber-security/graphics-card-flaw-enables-data-theft-in-amd-apple-and-qualcomm-chips-by-exploiting-gpu-memory
    Reply
  • dalek1234
    Amdlova said:
    We like to read how intel fail everytime :)
    It's so entertaining, isn't it?
    Reply
  • bit_user
    The article said:
    all require local access to take advantage of, greatly downgrading their importance to the average user. As the saying goes, if a hostile attacker has local access to your system, you have bigger things to worry about than side-channel attacks.
    No, I think you misunderstand.

    First, when they say it requires a local, authenticated user, they do not mean that it requires physical access. The way an exploit like this can work is either if an authenticated user runs a piece of infected software (i.e. either malware or virus-infected) or if they visit a web site that contains an exploit which harnesses a vulnerability in their web browser. Both are ways an authenticated user can unwittingly execute one of these exploits.

    Some of these are "denial of service", but 3 are "privilege escalation". So, by chaining together one of these + other exploits that hackers can gain root access on your box. Gaining admin access to a machine rarely involves just a single exploit. Ransomware is an example of an attack that generally requires admin privileges. So, that's why privilege escalation exploits aren't something you should casually disregard.

    @JarredWaltonGPU please mention this to Dallin.
    Reply
  • bit_user
    rluker5 said:
    Edit: Maybe Tom's could include the current list of ignored, unpatched vulnerabilities that AMD has
    This is whataboutism. It's how a lot of flame wars start. Someone tries to distract from some bad news by trying to highlight something negative about the other brand, and that draws a bunch of defenses. Then, it just grows from there.

    My advice would be: don't be so sensitive. Making a big fuss over something just draws attention to it.

    IMO, if you don't have something to say about the article or what it article covered, just let it go and move on. However, that's just my opinion.
    Reply
  • rluker5
    bit_user said:
    This is whataboutism. It's how a lot of flame wars start. Someone tries to distract from some bad news by trying to highlight something negative about the other brand, and that draws a bunch of defenses. Then, it just grows from there.

    My advice would be: don't be so sensitive. Making a big fuss over something just draws attention to it.

    IMO, if you don't have something to say about the article or what it article covered, just let it go and move on. However, that's just my opinion.
    Perhaps you didn't notice the context of my comment. It is in reference to the article which presents a recent laundry list of bad news for Intel in a belated article on vulnerabilities fixed last generation for CPUs and GPUs. Coming off as a blatantly anti Intel hitpiece with no new news.

    I took issue with the laundry list as most of the commenters including the one I liked prior to making my comment.

    I was just coming up with what a similar example would look like if the companies were switched to show how out of place it would look.

    Amdlova showed that it isn't Tom's in general that is so biased, it must just be a few writers. But I would be happy if a big fuss were made over it. Such articles should get a different screen color and be labeled as partial.
    I don't want Tom's to get the same reputation as Userbenchmark, but for a different chip company.

    Credibility is helped by the appearance of impartiality.
    Reply