Because of the pervasive control that the IME has over a system and the sad fact that it typically cannot be disabled by an end user, some companies are moving to disable this control system. Dell, System76, and a few others have decided to either offer the option to have the IME disabled or to just turn it off altogether. The latter would seem to be the smarter choice given how much control someone would have if they could compromise the IME.
Much like the UEFI BIOS, the IME runs in its own space, with its own memory, processes, threads, bus and storage. It is a great place to hide and since it runs at the CPU level it cannot be monitored, or protected by anything running at the OS level. It is a great place to hid from anti-malware that might be on a system. Both of these components (the UEFI BIOS and IME) can independently control the hardware in the system without alerting the OS running in the layers above them, but are capable of interacting with any OS executing there. This is not exactly what you want to hear about important subsystems on your PC.
We fully expect to see other vendors make this move in the near future and we might even see other security tools that at least detect when the IME or UEFI BIOS are trying to interact with the OS or trying to inject processed into normal userland or kernel memory space… of course there is still the processing and memory space for the GPU that everyone seems to overlook, but that is for another article.
For now, if you own an Intel based system, we urge you to make sure that you are up-to-date with the latest patches for it so that you are as protected as currently possible.