Dell, Where is the fix of Intel Management Engine vulnerability for my PC?

Read this.

For getting a vulnerability fix users have to way for 3 months without any protection.
Pretty cool (not).

What is the reason of BIOS update (the second table from "Read this.")?
According to Intel-SA-00086_Detection_UG.pdf, it will not help:

Table 2-5. Criteria to determine if a System is Vulnerable to Intel - SA-00086 Using the Intel-SA-00086 Detection Tool 

Thanks ALXIMIKS and Ron for the info and links.

To me, it looks like Intel published these vulnerabilities (INTEL-SA-00086) on Nov. 20, and Dell responded on Nov. 23.

Both the Intel Detection Tool, and the list from Dell tell me that my Dell XPS 13 9350 (Win 10 Pro) is at risk, and not yet patched. Users of Secunia PSI 3.0, and of Belarc Advisor should note that these utilities do NOT detect this unpatched vulnerability.

Dell - the clock is ticking.

Incidently, this is my second attempt to post this reply, thanks to Dell's intransigent reCaptcha.

I don't work for Dell and I have no control over timing for these updates, but consider this...

This vulnerability has existed for a very long time since it affects CPUs all the way back to Core Gen 6. AFAIK, this hole has never been exploited so it's either non-obvious and/or sufficiently difficult to exploit that it hasn't been penetrated. So I don't understand the "urgency" being expressed here.  

Secondly, none of us knows how much work and time are needed to prepare the update for each affected PC model. Keep in mind that this will be a firmware update, not just a (reversible) software patch. Dell has to be very sure that it not only fixes the problem, but also that it doesn't cause new problems or create new holes and/or BRICK a whole lot of motherboards. So a lot of testing will probably be needed before they can safely release these updates to users.

And we all HATE reCaptcha. :emotion-5:

My 2-cents...

Vulnerability in SMB 1.0 has lived until public disclosure for ten years.
It was used in NSA tools.
The results were WannaCry and NotPety viruses.

Did NSA know about this one (INTEL-SA-00086) - YES.
habrahabr.ru/.../

"Positive Technologies" discovered vulnerability.
They have found undocumented posibilities what were developed by Intel for NSA programm "High Assurance Platform".

Intel company answer:
"Mark/Maxim,
In response to requests from customers with specialized requirements we sometimes explore the modification or disabling of certain features. In this case, the modifications were made at the request of equipment manufacturers in support of their customer’s evaluation of the US government’s “High Assurance Platform” program. These modifications underwent a limited validation cycle and are not an officially supported configuration."

Ron:

I don't work for anybody either. I agree with most of what you say. I have no clue as to the urgency of patching this. I wish I had a buck for every unpatched vulnerability I've read about.

Nonetheless, the publishing of this vulnerability (no matter how longstanding, or as yet unexploited) demands a response. If Intel now tells me my CPU has a vulnerability, then shunts the responsibility to Dell to fix it, then I expect a timely remedy. From somebody. After all, I'm not talking about Win 7 here, but about the latest Windows operating system. Touted to be the most secure ever. So yes ... the clock is ticking.

ALXIMIKS: Sorry, but I can't read your Russian link.

There was original source link. Nothing more.

Also, the problem becomes more complex when you will understand what is Intel ME.
It is not a software on your HDD.
It is not some BIOS update.

It is separate microcontroller between Intel processor and all other PC devices.
It has its own undocumented architecture.
And vulnerability provides the installation of unsigned programs on this microcontroller.

As a result, you could reinstall your Operation System or update your BIOS but the virus will be still there (on youor PC) and will do whatever it wants.

Lenovo has issued a fix:

Intel ME 11.x, SPS 4.0, and TXE 3.0 Cumulative Security Update:
support.lenovo.com/.../len-17297

"Intel gives motherboard manufacturers the ability to specify a small number of ME parameters. To this end, the company provides hardware manufacturers with a special set of software, which includes tools such as Flash Image Tool (FIT) for setting ME parameters and Flash Programming Tool (FPT), which supports the programming of flash memory directly via the built-in SPI controller."
(source link (rus) - https://habrahabr.ru/company/pt/blog/336242/)

Wow, Lenovo needs few day to fix the bug but DELL will fix it for 3 months.
If DELL will be work so intensive as for Intel Optane driver for their Lapbooks BIOS, I'm not sure that we will see any bug-fix at all.

Yes i agree, intel had some bogus ideas in the past but this is the most idiotic one. Using an ancient code to run a modern cpu and a modern operating system on it??? I dont need my bios to have its own web server and full functional IP stack, I want a bios that boots my OS and thats all it should do nothing else. i went with me_cleaner with option (-S) Both on my Alienware 17-R4 and my latitude 14 Rugged 5414 . But i ordered my latitude 14 with Out of band management disabled option, but i could not sure until i dissected the firmware. As soon i got them, both firmware were amputated of intel ME no shutdown or any problems. Obviously i used an SPI programmer (TL866A) with sop8 clip, backed up both firmwares and updated to the latest one backup again than cleaned and written back. I had to install Python for windows (use version 2.7.12 it works) newer will error out on syntax. These guys deserve a donation i think to unveil the hidden computer inside the computer that active even when your computer is off and doing it staff the *** knows what...Can we get back to the computers from the 80's when they didnt had bogus code running below hardware level, in fact they not even had setup for the BIOS it was a floppy disk as they only had 64k/128k  bios that only booted the system.