“The silver lining is that if an attacker can exploit your system through the existing Intel ME vulnerability, then there they can’t do much worse by also gaining access to VISA. However, if in the future attackers find another way to enable VISA, even on systems with patched Intel ME firmware, that could indeed expose PC users to new dangers.”
Can someone from purism comment on that?
The good news is that the feature is disabled by default (unlike Intel ME, which is enabled by default on most Intel-based machines), so attackers can’t exploit VISA without first finding a way to enable it.
The bad news is that the Positive Technologies researchers found a way to disable VISA using an older Intel ME vulnerability. Intel released a firmware patch that fixes that vulnerability back in 2017, but unless your laptop maker or motherboard maker has sent your the updated firmware and you updated your system with it, your PC will remain vulnerable.
Emphais mine. As part of our process to neutralize and disable the ME in the versions of coreboot we ship, we not only pull down a recent version of the ME, we also remove almost all of the modules that someone like PT could attempt to exploit.
Based on the information that’s out there currently about PT’s research (it sounds like more details are forthcoming), I don’t think our laptops are vulnerable to this for the reasons I stated above. Beyond all of that, if someone were to attempt to modify the ME (for instance loading an older, vulnerable version of it) to allow for this exploit, you would be able to detect that tampering if you were using PureBoot.
I realize this is copied from the article, but I presume they meant enable here rather than disable