Intel chip flaw--but what of it?
Some researchers claim that Intel has a serious chip bug on its hands. But that all depends.
Security experts who are into the arcana of chip security may find "CPU cache poisoning" riveting and serious stuff. Others, however, may simply scratch their heads and move on.
But let's not move on too quickly. First, a quote from an abstract of the paper (PDF) that has some of the chip world abuzz. "In this paper we have described practical exploitation of the CPU cache poisoning...This is the third attack on SMM (system management mode) memory our team has found within the last 10 months, affecting Intel-based systems. It seems that the current state of firmware security, even in case of such reputable vendors as Intel, is quite unsatisfying."
Joanna Rutkowska, who exposed the potential of the so-called Blue Pill flaw in August 2006 and who founded Invisible Things Lab, wrote that excerpt (along with colleague Rafal Wojtczuk) and obviously takes this very seriously.
As do others. Not worried yet? "This is the scariest, stealthiest, and most dangerous exploit I've seen come around since the legendary Blue Pill!," writes Jamey Heary in a Network World blog. He is a consulting systems engineer for Cisco Systems.
So now that we know it's scary, what could happen in a worst-case scenario? Suffice to say that gaining access to "privileged" SMM memory would essentially allow hackers to do anything to the target PC that they want. The question is, would they actually take advantage of this particular opening?
"If a hacker can use this new exploit to embed a SMM rootkit (malware) they would have ultimate control over the box (computer). Additionally, it would be virtually undetectable," Heary wrote in response to an e-mail query. But he also added: "In a nutshell. This exploit is very serious and needs to fixed. But...I don't see a mass virus or worm using this. The attacks will be targeted. A rootkit must be perfectly matched to the hardware. This makes mass infection more difficult."
Rutkowska and Wojtczuk, in the abstract, say that the paper discusses "how to practically exploit this problem, showing working proof of concept codes that allow for arbitrary SMM code execution. This allows for various kind of abuses of the super-privileged SMM mode, e.g. via SMM rootkits."
Who can do this? "We assume that the attacker has (what is in practice)...equivalent to administrator privileges on the target system, and on some systems, e.g. Windows, also the ability to load and execute arbitrary kernel code," write Rutkowska and Wojtczuk.
And what systems are potentially vulnerable? Though both Intel and Rutkowska say the "attack" presented in the paper has been fixed on some systems, Rutkowska goes on to say: "We have however found out that even the relatively new boards, e.g. Intel DQ35 are still vulnerable (the very recent Intel DQ45 doesn't seem to be vulnerable though). The exploit attached is for DQ35 board--the offsets would have to be changed to work on other boards (please do not ask how to do this)." (Here is a list of Intel motherboards she refers to.)
These motherboards are used with Core 2 Quad, Core 2 Duo, Pentium, and Celeron processors, according to Intel's Web site.
Intel has addressed the matter this way: "We are working with these researchers. We take this research and all reports seriously. Currently as far as we know, there are no known exploits in the wild," Intel spokesman George Alfs said in a written statement.
One point worth noting is that this is not an Intel errata per se, which Intel typically details in processor specification updates. This is a theoretical attack from a malicious hacker. Nevertheless, users can minimize the risk by keeping up-to-date on patches and on operating system and security suite updates. Particularly important are BIOS (basic input/output system) and firmware updates for the processors and motherboards referenced above.
So, what is the average user to make of all of this? Security attacks and security vulnerabilities have been around since (computer) time immemorial (in the relatively brief history of mass-market computing). A report from U.K.-based technology Web site The Register in 2006, for example, suggested that people should not purchase Core 2 Duo systems--now widespread worldwide--because of security vulnerabilities and cited an open-source expert, who prophesied doom and gloom for the Core 2 Duo architecture.
Then there's the whopper of them all--and a flaw very different in nature from the SMM vulnerability discussed above--the show-stopping 1994 Intel FDIV bug, discovered by Professor Thomas Nicely, then at Lynchburg College in Virginia. Also referred to as the floating-point bug, it wasn't a flaw exploitable by malicious hackers; rather, it was a bug in Intel's original Pentium floating-point unit. Certain arcane floating-point division operations done on these processors would generate incorrect results.
This bug, covered prominently by The New York Times and CNN at the time, actually had virtually no affect on users, except causing them to panic and, as a consequence, some insisted that Intel provide them with new processors. The recall cost Intel close to a half-billion dollars.
Brooke Crothers has served as an editor at large at CNET News, an editor at Dow Jones' Asian Wall Street Journal Weekly, and a senior editor at InfoWorld. His CNET blog covers chip technology and computer systems, and how they define the computing experience. He also contributes to The New York Times' Bits and Technology sections. He is a member of the CNET Blog Network and is not an employee of CNET. Disclosure. Follow Brooke on Twitter @mbrookec. 
If you're only running one operating system, then this exploit is nothing to worry about; it'll still work, but the attacker wouldn't be able to get any more information than he'd be able to get if he gained root (which he still has to do in order to perform this exploit).
So basically, if you are on a Core-architecture CPU and running virtual machines with a motherboard that isn't the DQ45, and you have some unpatched software that contains a remote privilege escalation flaw, you can worry. Otherwise, I'm sure you have more immediate problems like "Do I need to buy more milk before the shops shut" :-)
People tend to forget that the difference between a normal user and admin is controlled in software, and that even if you are running as non-admin, lots of programs are running with admin or kernel privileges.
"A rootkit must be perfectly matched to the of hardware"
It would be much easier to read the of articles if the of syntax were of better.
Incidentlly, the last half of your last sentence needs work. You probable should check your own writing before taking it upon yourself to correct others. Idiot.
"It would be much easier to read the of articles if the of syntax were of better. "
Look up the term "sarcasm". And maybe "irony" while you are at it...
- by Bill_I March 23, 2009 10:40 AM PDT
- Intel has been through this before, the Pentium coprocessor "small error" cost about $500m to replace.
- Like this Reply to this comment
-
-
- by viper396 March 23, 2009 1:55 PM PDT
- Bill_I , The article does mention that old Intel Pentium bug. Did you actually read the entire article?
- Like this
-
(13 Comments)Whatever the case, this article only hints that the actual threats are extremely overblown by news media and bloggers. Many of them are only interested in prophesying more doom and gloom scenarios then realistic facts.
Unfortunately, this article just plays into more of that doom and gloom propaganda.