Jump to content

- - - - -

Researchers Discover Rootkit Exploit In Intel Processors That Dates Back To 1997

  • Please log in to reply
1 reply to this topic

#1 Nuno Brito

Nuno Brito

    Platinum Member

  • .script developer
  • 10544 posts
  • Location:boot.wim
  • Interests:I'm just a quiet simple person with a very quiet simple life living one day at a time..
    European Union

Posted 10 August 2015 - 10:32 AM

Great. Not surprised, but now is public.





#2 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14778 posts
  • Location:The Outside of the Asylum (gate is closed)

Posted 10 August 2015 - 12:12 PM

The actual paper is here:
At first sight, besides the linguistic hype:

The architecture has heaped layers upon layers of protections on
these ‘negative’ rings, but 40 years of x86 evolution have left a
labyrinth of forgotten backdoors into the ultra-privileged modes.
Lost in this byzantine maze of decades-old architecture
improvements and patches, there lies a design flaw that’s gone
unnoticed for 20 years.

Side note to hackers/programmers: you are a hacker or programmer you are not H.P.Lovecraft, and you should not try to write as if you were him.
It seems like the actual issue is not with the processor (and dating back to 20 years) but rather with the UEFI:

SMM code is installed during the boot process
by system firmware, the diversity of which typically precludes
a widespread attack. However, select components of system
firmware are derived from a set of Unified Extensible
Firmware Interface (UEFI) template code provided by Intel.

Such is the case for the initial SMM entry point, which is
almost universally deployed on modern systems. An attack
directed against this specific code sequence achieves the
widest possible coverage.



Thankfully, exploitation of the vulnerability requires low-level access to the host system - meaning that an attacker wishing to make use of the flaw to implant malicious code in ring -2 would already need to have ring 0 access, the highest level of access typically available to user-level code.



I think I will sleep fine tonight. :)




  • Nuno Brito likes this

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users