This is the scariest, stealthiest, and most dangerous exploit I've seen come around since the legendary Blue Pill! No, I'm not just trying to sensationalize this or spread fear, uncertainty and doubt. This is serious and represents a massive new security threat for us all.
Security Researchers Joanna Rutkowska is planning to release a research paper + exploit code for a new SMM (System Management Mode) exploit that installs via an Intel® CPU caching vulnerability. Joanna, of blue pill fame, reported this on her blog
Joanna cleared it up for me that they are not releasing a SMM rootkit but rather a exploit. It will be up to some other folks to tie this in with a SMM rootkit like this one perhaps.
"Thursday, March 19th, 1600 UTC, we will publish a paper (+ exploits) on exploiting Intel® CPU cache mechanisms. The attack allows for privilege escalation from Ring 0 to the SMM on many recent motherboards with Intel CPUs. Rafal implemented a working exploit with code execution in SMM in a matter of just a few hours."
The heart-stopping thing about this particular exploit is that it hides itself in the SMM space. To put that into perspective, SMM is more privileged than a hypervisor is and it's not controllable by any Operating System. By design, the operating system cannot override or disable System Management Interupt (SMI) calls. In practice, the only way for you to know what is running in SMM space is to physically disassemble the firmware of your computer. So, given that an SMI takes precedence over any OS call, the OS cannot control or read SMM, and the only way to read SMM is to disassemble the system makes an SMM rootkit incredibly stealthy! It is very much like the blue pill attack (the PC is living in the matrix which is under your complete control) except that SMM attacks are at an even deeper hardware level of abstraction than a hypervisor exploit! SMM has been around in Intel chips since 386 processors so if you'd like further education or history lesson here is a good article.
Now remember that what Joanna will be releasing is a brand new, never before disclosed Intel caching hack that allows them to gain access to SMM space and run their new exploit. If you then use this exploit to run a SMM rootkit that has the ability to call home to its creator to get new code or deposit its findings your really gonna have a powerful hack. No software you can run on your operating system would be able to detect this type of exploit once you are p0wned.
So why would they release the exploit code to the public you ask. Aren't security researchers supposed to play by the rules and refrain from disclosure? Well here's the thing, both the CPU caching vulnerabilities and the SMM vulnerabilities already have been reported to intel. In fact, according to Joanna "the first mention of the possible attack using caching for compromising SMM has been discussed in certain documents authored as early as the end of 2005 (!) by nobody else than... Intel's own employees." Joanna also officially reported this and other related bugs to Intel. Loic Duflot also did so back in October 2008. Bottom line is
Jamey Heary, CCIE No. 7680, is the author of the Cisco NAC Appliance: Enforcing Host Security with Clean Access book by Cisco Press. Jamey is a seasoned security technologist with over 15 years in the IT field with 10 years focused on IT security. His areas of expertise include network and host security design and implementation, security regulatory compliance, and routing and switching. His other certifications include CISSP, CCSP, and Microsoft MCSE. He is also a Certified HIPAA Security Professional. Jamey is currently a Security Consulting Systems Engineer with Cisco, though the opinions expressed here are his own. Jamey is a member of Network World's Cisco Subnet blog community.
The Leader in Network Knowledge
Intel Flaw
How will Intel Patch this flaw in currently on the market processors. A microcode update perhaps?
Patch
We don't yet know how they will patch it since the vector the attack uses is not known yet. But in the past Intel has dealt with these types of things through a firmware upgrade. Like this one which Joanna previously exploited at blackhat 2008.
http://news.softpedia.com/news/Intel-Releases-Security-BIOS-Firmware-Updates-for-Several-Boards-92554.shtml
Except that....
My guess is that since Intel has known of the issue for 3+ years and have NOT put out a microcode update/patch/upgrade whatever...then it's reasonable to assume they can't. I doubt highly they would not act on it if it were fixable. I guess we will see either way.
Now if somebody out there could permanently fix those friggin SpySheriff/Antispy2009/Filefix Pro 2009, etc... extortion ware that would really be something great. I'm so sick of fixing those.
Redicules
This is a rediculous article, however, it is right in the sense that this could pose a serious threat to pc's.
I don't agree with you it is
I don't agree with you it is not ridiculous. You can check villento and then say smth.
I work for an online >Las
I work for an online >Las Vegas security company and recently encountered this for the first time. Aren’t some aspects of what they are doing here illegal and has there been any update on the situation?
Hmm
Hmm this sucks.
I'm assuming that this would
I'm assuming that this would affect not only Windows PC's, but Macs as well since they are now intel powered PC's.
AMD anyone?
Glad to be on AMD i'd say.
How about AMD?
Does this also affect AMD processors?
Post new comment