Some hardware vendors are reacting to the recent revelation that some of Intel's core CPU technology is riddled with security holes.
At the time of writing, three laptop and computer vendors have started offering a way to buy products without Intel ME (Management Engine), or have said they'll deliver firmware updates that disable the technology.
Intel Management Engine is a technology that is often described as a secret operating system inside the main Intel CPU. The ME component runs independently from the user's main OS, with separate processes, threads, memory manager, hardware bus driver, file system, and many other components. An attacker that exploits a flaw and gains control over the Intel ME has untethered control over the entire computer. In November, Intel issued a security alert for several flaws affecting ME and other core Intel CPU technologies.
The first company to announce a decision on Intel ME was Purism, a company that describes itself as a freedom-respecting computer manufacturer.
What's surprising is that Purism took this step in October, almost a month before Intel published its security advisory about the Intel ME flaws.
It appears that the company took this decision just because someone else found a way to disable Intel ME and Purism decided to use it and improve its customers' privacy.
"Disabling the Management Engine is no easy task, and it has taken security researchers years to find a way to properly and verifiably disable it," the company explained in a blog post. "The Librem 13 and Librem 15 products can be purchased today and will arrive with the Management Engine disabled by default."
The second company that took a similar step was System76, a seller of custom Linux PC rigs. In a blog post this week, the company explains its decision and puts forward the following rollout plan.
Last but not least, a Reddit user also noticed this week that Dell modified its online store to allow customers to buy Intel-powered computers without Intel's Management Engine.
It is unclear when this option was added, or if Dell took this decision after Intel notified the company of the ME flaws. Nonetheless, the change is welcomed, mainly because ME is a technology meant for enterprise environments, and has no place on personal-use computers.
Dell is just one of the many hardware vendors that have admitted they sell products affected by the Intel ME bugs. Other vendors are Acer, Fujitsu, HP, Lenovo, and Panasonic. All promised firmware updates that will fix the reported security bugs, albeit not all have delivered on their promise just yet.