Intel Management Engine Vulnerability and Surface Devices


Microsoft is aware of the Intel Management Engine vulnerability (Intel-SA-00086). The Intel vulnerability detection tool currently lists Microsoft Surface devices as vulnerable to this security advisory.

Microsoft has investigated the issue and found the following:

  1. Remote exploit of this vulnerability requires Intel Active Management Technology (AMT). Current Surface devices do not allow remote connectivity to the ME because our devices do not run AMT.
  2. Local exploit of this vulnerability requires Direct Connect Interface (DCI) access via USB, which is not provided on Surface devices.

Because of this, we believe exploits using this vulnerability are significantly reduced on Surface devices. We care deeply about ensuring our devices are reliable and secure and are working with Intel to generate fixes for current devices, which we expect to release in the near future.

Comments (9)

  1. atxta says:

    About “Local exploit of this vulnerability requires Direct Connect Interface (DCI) access via USB, which is not provided on Surface devices.”

    Can an attacker use other ports? like the SD slots etc?
    What about the Surface Dock does this have a Direct Connect Interface via USB?

    1. No, the USB ports provided on Surface devices, including the SD Card slot and Surface Connect (and therefore Surface Dock), do not have DCI connectivity and are not considered vulnerable to this exploit.

  2. Whatcha says:

    Microsoft has investigated the issue and found the following:
    Local exploit of this vulnerability requires Direct Connect Interface (DCI) access via USB, which is not provided on Surface devices.

    Does the Surface dock have a DCI Direct Connect Interface access via USB?
    Is a Surface vulnerable to this attack when connected to a Surface dock? Or any other port replicator or USB-A or USB-C Hub.

    1. Surface device USB ports, including the USB connections used for the SD Card slot and Surface Connect (including the USB ports of the Surface Dock and Surface Docking Stations), do not provide DCI access and thus are not considered vulnerable to this exploit.

  3. Vijoy Prasad says:

    Please send me a fix when it is released! I am prone to many attacks!

    1. When updated firmware is available for your device it will be announced via this blog. If you wish to be alerted when new firmware is available, you can subscribe to the blog RSS feed.

  4. Kevin Parker says:

    My laptop is a Surface Book with Intel i5-6300U Processor. And it has 2x USB connectors built into it. The Intel Detection Tool tells me my computer is Vulnerable. What is its level of vulnerability and how do I minimise that pending your release of a ‘fix’? What do I need to do now to ensure my computer is secure from this potential issue?

    1. There is no required action on your part. Surface USB connections, including the SD Card slot and Surface Connect, do not provide DCI access and are not considered vulnerable to this exploit.

  5. Jaime says:

    So, we don’t have to care about this?

Skip to main content