The latest security information on Intel® products.

Affected products:

Only specific configurations of these operating system/driver combinations are vulnerable. Detailed procedures for identifying the affected configurations can be found later in this document. Either review the procedure to determine if your system is affected or simply upgrade to the latest driver to ensure protection.

Once you have verified that you have an affected driver follow

 these steps to determine if you have a vulnerable configuration. Note that Administrator privileges are required to use the Device Manager and Registry Editor Windows applications.

Step 1: Determine which Intel Ethernet network hardware devices exist on the system.

• Open Device Manager.
  • Right-click on “My Computer” (“Computer” in Vista). The “My Computer” or “Computer” icon can be found by clicking the “Start” button on the Windows* desktop. The icon may also be visible directly on the Windows* desktop.
  • Select “Properties”.
  • On Windows* Vista, select “Advanced System Settings”, observe the User Account Control dialog appear, and select “Continue”.
  • Select “Hardware”.
  • Select “Device Manager”.
• Expand the “Network Adapters” node within Device Manager.
• If you do not see an Intel Ethernet network labeled either “PRO/100” or “PRO/1000” your system is not vulnerable; otherwise, continue to Step 2.

Step 2: For each Intel Ethernet network adapter, determine whether the device driver software is of a vulnerable version.

• Follow Step 1 to observe the Intel Ethernet network adapters on the system in Device Manager.
• For each Intel Ethernet network adapter visible in Device Manager:
  • Observe the adapter name in Device Manager. Note whether the adapter is a “PRO/100” (100 Mb/s) or a “PRO/1000” (1000 Mb/s)
  • Right-click on the adapter, and select Properties.
  • Select “Driver”.
  • Observe the Driver Version. This is a number of the form x.x.x.x.
  • Compare this driver version to the table of affected driver versions. For PRO/100 adapters, use the first row of the table. For PRO/1000 adapters, use the second and third rows of the table.
    • For PRO/1000 adapters, an optional step (not required by virtue of the fact that the PRO/1000 and PRO/1000 PCIe versions do not overlap) is to determine whether the device is a PRO/1000 or PRO/1000 PCIe device. This can be most easily accomplished by clicking on “Driver Details” on this same “Driver” page and observing the name of the .sys file. If that file begins with “e1e”, the device is a PRO/1000 PCIe device, and the third row of the table should be used. Otherwise, it should be a PRO/1000 PCI device with a name beginning with “e1g” or “e1000”, and the second row in the table should be used.
  • If the driver version is not one of the affected version per this table, the system is not vulnerable; otherwise, continue to Step 3.

Step 3: For each Intel Ethernet network adapter which has a vulnerable device driver version, examine the PcNic registry setting.

• Follow Step 1 to observe the Intel Ethernet network adapters on the system in Device Manager.
• For each Intel Ethernet network adapter visible in Device Manager:
  • Follow Step 2 to determine whether the device driver software is of an affected version. If the driver is not vulnerable, Step 3 may be skipped for this adapter.
  • Right-click on the adapter, and select Properties.
  • Select “Details”.
  • In the “Property” selection box, select “Hardware Ids”.
  • Keep this window open for later reference.
  • Open up the Registry Editor. On the command line (opened with “run as Administrator” in Vista), type “regedit”.
  • Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\PCI.
  • Open the next subkey (under PCI) with the name that matches the longest string in the “Hardware Ids” property observed above.
  • Open the next subkey which is named in the form x&xxxxxxxx&xx&xxxx (e.g. 3&b1bfb68&0&FA). If there is more than one such subkey, then there are multiple adapters of the same Hardware Id on the system. This can occur either when multiple physical adapter cards are present or when a single adapter card has multiple ports. Each subkey corresponds to a different network adapter visible in Device Manager. A set of such adapters that have the same Hardware Id appears in Device Manager with a common base name appended with “ #n” where n is a sequentially increasing numeric value. In this situation of multiple adapters of common Hardware Id, it is not strictly necessary to correlate the registry subkey with the device node in Device Manager as long as every subkey is examined. Such correlation can optionally be achieved by matching the PCI bus/device/function number visible in the “LocationInformation” value of the subkey with the same information visible on the General property page of device manager. In most cases, there will be a single subkey under a given Hardware Id. If there is more than one, check them all.
  • Examine the Driver value. This value should be of the form “{4d36e972-e325-11ce-bfc1-08002be10318}\xxxx”. Make note of the value xxxx (e.g. 0008) for use below.
  • Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}.
  • Open the next subkey matching the Driver value examined above.
  • Within this subkey, look for a value type string (REG_SZ) named “PcNic”. If the “PcNic” value exists and is “0”, the system is not vulnerable (even if the driver version is one of the affected versions). If the “PcNic” value either does not exist or exists with a value of “1” (assuming in either case that the driver version is one of the affected versions), then the system is vulnerable.

Note 1: For Win CE drivers there is no version number, use the file creation date of the driver file.