Brad Smith, president and chief legal officer of Microsoft, wailed regarding WannaCrypt ransomware which was negligently lost by the NSA, with its former name being EternalBlue:
"Second, this attack demonstrates the degree to which cybersecurity has become a shared responsibility between tech companies and customers. The fact that so many computers remained vulnerable two months after the release of a patch illustrates this aspect. As cybercriminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems. Otherwise they’re literally fighting the problems of the present with tools from the past. This attack is a powerful reminder that information technology basics like keeping computers current and patched are a high responsibility for everyone, and it’s something every top executive should support."
In truth, many Windows 7 and 8.1 customers would have been fully patched if Microsoft had not tried to shove Windows 10 down everyone's throat by using tactics many considered to be akin to malware. Many users changed their Windows Update setting to "Never check for updates" to avoid being moved to Windows 10.
Microsoft doubled-down on user-hostile interfaces with its elimination of security bulletins, which many users depended upon to understand if an update should be accepted, not to mention combining many unrelated updates into one bundle, forcing users to either accept or reject everything.
By the way, Linux isn't affected by WannaCrypt.
Intel confirmed (here and here) that using a separate NIC card instead of the on-board NIC will prevent AMT from running, as only the NIC built into the chipset communicates with the ME and AMT. And it does not matter which chipset vendor -- Intel, Realtek, etc. -- or bus type -- PCI or PCIe -- the card employs. This solution won't work for everyone, but it's one way to prevent attacks.
I previously wondered just how vulnerable Intel's vPro, ME, and AMT were, but I had no idea. AMT accepts a zero-length password hash field, something that should have caught by any Intel developer. Access is possible as long as the PC has power and Ethernet connectivity.
The best resource I have seen on the subject is from SSH Communications Security with links to OEMs, though I strongly suggest you avoid the link for Intel drivers from a non-Intel source. Intel's official announcement and its Detection Guide are worth perusing.
Intel admitted that the vulnerability is not limited to Q-chipsets, with the list of affected Intel desktop boards being:
- Intel Desktop Board DB65AL
- Intel Desktop Board DB75EN
- Intel Desktop Board DB85FL
- Intel Desktop Board DQ57TM
- Intel Desktop Board DQ57TML
- Intel Desktop Board DQ67EP
- Intel Desktop Board DQ67OW
- Intel Desktop Board DQ67SW
- Intel Desktop Board DQ77CP
- Intel Desktop Board DQ77KB
- Intel Desktop Board DQ77MK
- Intel Desktop Board DQ87PG
NUCs and at least one Compute Stick are affected:
- Intel NUC Board D53427RKE
- Intel NUC Board NUC5i5MYBE
- Intel NUC Kit DC53427HYE
- Intel NUC Kit NUC5i5MYHE
- Intel Compute Stick STK2mv64CC
Motherboards from other vendors with Q or B chipsets are vulnerable and firmware should be obtained from them. Laptops from HP and Lenovo may or may not be vulnerable, but at the time I wrote this, Dell still had no clue.
One moral of the story is, do not buy Intel processors with vPro unless you are buying for corporate use and intend to use AMT. Verify your processor's specifications at Intel's Ark.