Intel grapples with security glitch in server
The chip giant is closing a secret "back door" on one of its special purpose server appliances that could let an intruder delete files or even take control of a user's email functions.
- Shankland covered the tech industry for more than 25 years and was a science writer for five years before that. He has deep expertise in microprocessors, digital photography, computer hardware and software, internet standards, web technology, and more.
The vulnerability applies to Intel's InBusiness Email Station, a single-purpose server appliance that the chip giant sells to customers who want to set up email service.
In computer lingo, a "back door" is a secret way to access a computer. This particular back door was designed to let the manufacturer take over the server in the event the customer was having serious problems, Intel spokeswoman Micki Fuller said. Widespread knowledge of the door, however, raises security issues, she said.
Computer security expert Kit Knox discovered the bug and published a warning of the security problem at his Rootshell security site this week.
"This was a back door that existed into our product," Fuller said. "We are publishing code that will close the back door for our customers."
The update should be available by late tomorrow afternoon at Intel's support Web site, she said.
The back door was intended for use in "extreme cases" when customers needed help remotely, Fuller said.
By connecting via the Internet over a certain access channel, or "port," an intruder can issue several commands without ever needing to submit a password, Knox said. The commands let the intruder delete files, restore a machine to factory settings or, under some circumstances, take over the machine completely.
Fuller said only savvy users will be able to uncover the back door, and the exposure is limited because the server typically isn't connected to the Internet full time.
But Knox believes the problem is more serious. He believes computer security would improve with greater use of open-source software, in which programming instructions are openly available. The situation with Intel's email server shows that "when the source code is not out there, how many things can be lurking that we don't know about?" Knox said.
The back door isn't the first time the chipmaker has run afoul of people who object to an Intel feature they believe does more harm than good. Intel's Pentium III chip comes with a processor serial number that some critics alleged could let Web sites or government agencies track an individual's Net habits. A number of security and chip analysts asserted these fears about the serial number were unfounded, but the issue generated a slew of publicity.
Knox found the server problem while evaluating the product for use by customers. He discovered the commands while examining the machine's firmware, special instructions the computer runs on startup.
The vulnerability appears to date from the products of Dayna Communications, a company Intel acquired in 1997, Knox said.
The InBusiness email server uses VxWorks operating system and Intel 486 chips. Intel also sells server appliances for providing Internet access, file storage and print services using a similar setup but with different, higher-level software, Fuller said.