NUC, NUC! Who's there? Intel, warning you to kill a buggy keyboard app

No joke: another security SNAFU for Chipzilla, this time for a popular remote admin app

Intel NUC5i5RYK

Intel has made much of its NUC and Compute Stick mini-PCs as a way to place computers to out-of-the-way places like digital signage.

Such locations aren’t the kind of spots where keyboards and pointing devices can be found, so Intel sweetened the deal by giving the world an Android and iOS app called the “Intel Remote Keyboard” to let you mimic a keyboard and mouse from afar.

But now Chipzilla’s canned the app.

The reason is three nasty bugs that let attackers “inject keystrokes as a local user”, “inject keystrokes into another remote keyboard session” and “execute arbitrary code as a privileged user.” The bugs are CVE-2018-3641, CVE-2018-3645 and CVE-2018-3638 respectively.

Rather than patch the app, Intel’s killed it and "recommends that users of the Intel® Remote Keyboard uninstall it at their earliest convenience."

The app's already gone from the Play and App Stores (but Google’s cached pages about it for Android and iOS in case you fancy a look).

The Android version of the app’s been downloaded at least 500,000 times, so this is going to inconvenience plenty of people … at least until they get RDP working on Windows boxes and VNC running under Linux. The greater impact may be on Intel’s reputation for security, which has already taken a belting thanks to the Meltdown/Spectre mess. ®




Biting the hand that feeds IT © 1998–2018