Security researchers at an antivirus company have documented another potentially serious security hole in an Intel product, this time in the mechanism for performing system updates. The good news, however, is that it is limited to desktops, is a configuration error, and does not appear to impact servers.\nLast June, researchers at F-Secure found a flaw in Intel\u2019s Active Management Technology (AMT), a feature used to perform remote updates to advanced desktops using Intel vPro or workstation platforms using Core desktop chips and certain Xeon CPUs. Xeon is primarily a server processor but there are some low-end chips used in high-performance workstations, such as those used in a CAD environment.\nAMT is designed to allow administrators to access and perform updates to PCs even if the PCs are turned off, so that they don't have to go from computer to computer performing updates. Instead, an update is pushed out from a central location.\nWhat F-Secure found is that an attacker can gain full access to an entire machine, including encryption keys. The vulnerability allows a local intruder \u2014 key word local \u2014 to backdoor almost any corporate laptop in a matter of seconds, even if the\u00a0BIOS password, TPM Pin, Bitlocker and login credentials are in place.\n\u201cThe attack is almost deceptively simple to enact, but it has incredible destructive potential. In practice, it can give a local attacker complete control over an individual\u2019s work laptop, despite even the most extensive security measures,\u201d said Harry Sintonen, the F-Secure security consultant who found the bug in a blog post.\nNormally computers with AMT have a BIOS password to prevent making low-level changes, but due to insecure defaults in the BIOS and AMT\u2019s BIOS extension (MEBx) configuration, an attacker with physical access can log in using the default password \u201cadmin.\u201d Given the bad security habits of many people, there\u2019s a good chance this default password was not changed.\nBy changing the default password, enabling remote access and setting AMT\u2019s user opt-in to \u201cNone,\u201d the attacker has now backdoored the machine and can gain access to the system remotely, assuming the attacker is on the same network as the target machine.\nIntel says this is a problem in how the machine is configured by the OEM. Its recommendation is that MEBx access be gated by the BIOS password and has said so since 2015. What F-Secure found is that some system manufacturers were not requiring a BIOS password to access MEBx. So it updated its guidance for proper AMT\/MEBx security in December.\nAgain, it must be emphasized that this is a) an exploit that requires local access to the computer, b) requires the attacker to be on the same network for further exploits, and c) does not impact Xeon servers. With the hysteria over Meltdown, this vulnerability is getting a bit of shrill coverage that is not warranted.\nIntel, though, has to tighten up AMT, because this is not the first problem to emerge. Last year, security researchers also found vulnerabilities in Intel AMT, which could have allowed attackers to \u201caccess everything,\u201d including memory and encryption keys. Intel has since released patches.