[QUOTE]A security researcher has revealed a potentially serious vulnerability in x86 processors which allows for malicious code to be injected directly into the chip, providing an undetectable back-door or entirely destroying a system's hardware.
In a presentation late yesterday during the Black Hat security conference in Las Vegas, a white-paper (PDF warning) of which has already been published, researcher Christopher Domas revealed what he describes as a 'design flaw that's gone unnoticed for 20 years.'
This flaw, Domas explains, allows malicious code to jump from 'ring 0,' typically the most privileged level of execution, to 'ring -2,' the System Management Mode.
While running under SMM, said code is able to preempt code running in any other ring, including the 'ring -1' hypervisor, and can even bypass protections such as Trusted Execution Technology.
'Due to an extreme potential for abuse, SMM is protected through innumerable security mechanisms.
However, the complexity of the architecture precludes the simple separations found in higher rings, and SMM security circumventions can be constructed through elaborate configurations of unexpected architectural features.'
During the presentation, Domas revealed a working exploit - tested only on Intel processors, but believed effected on any x86 chips from the last couple of decades - which was able to jump code from ring 0 to ring -2.
'The secondary payload is installed by ring 0, and runs with SMM privileges, after the SMM handler is hijacked through the sinkhole,' he explains.
'The specific effects of the secondary payload are left to the reader’s imagination, but commonly include deeply persistent rootkits, hardware modifications, and system destruction.[/QUOTE]
[url]http://www.bit-tech.net/news/hardware/2015/08/07/x86-security-flaw/1[/url]
Jesus fuck, I thought viruses that could destroy my actual physical hardware was only in my nightmares but it's real??
Do we start panicking yet or is there more to this that isn't covered in the article?
ASM hacks are always totally fucking metal.
Wrapping your head around it is a chore on its own but it's the single most powerful thing you can use to program.
That doesn't look good, respect to whoever found it though.
[editline]9th August 2015[/editline]
[QUOTE]Thankfully, exploitation of the vulnerability requires low-level access to the host system - meaning that an attacker wishing to make use of the flaw to implant malicious code in ring -2 would already need to have ring 0 access, the highest level of access typically available to user-level code.[/QUOTE]
is a good sign.
Well, after reading this, I have no clue how to avoid this, I mean I shouldn't click on EXEs I don't know about but besides that, I honestly don't know. I can't believe this has been gone unnoticed for 20 years.
[editline]9th August 2015[/editline]
[QUOTE=leontodd;48415718]That doesn't look good, respect to whoever found it though.
[editline]9th August 2015[/editline]
is a good sign.[/QUOTE]
Does that mean, for it to affect me, a person would need to be with the processor in the same room?
[QUOTE=Xonax;48415727]Well, after reading this, I have no clue how to avoid this, I mean I shouldn't click on EXEs I don't know about but besides that, I honestly don't know. I can't believe this has been gone unnoticed for 20 years.
[editline]9th August 2015[/editline]
Does that mean, for it to affect me, a person would need to be with the processor in the same room?[/QUOTE]
No, some exploits allow ring 0 access in certain versions of windows. I think device drivers also get access to ring 0. Just don't run any executables you don't trust.
[QUOTE=Xonax;48415727]Does that mean, for it to affect me, a person would need to be with the processor in the same room?[/QUOTE]
This is so wrong its hilariously cute. Basically on processing levels there are different levels of which processes can be ran at, you have levels of which the OS runs at then there are levels for which the hardware runs at, these in simple terms are what ring # are. For someone to get access to -2 they'd need to access 0, commonly by using a fake driver. Ring -2 is extremely hard to get to as its basically what the BIOS runs on as it's a deeper part of the kernel, this image explains it a lot easier.
[img]http://horobox.co.uk/u/reag/2015-08-09_14-17-02.png[/img]
Basically, don't use anything that "hey! its me ur brother :^)" gives you.
Modern oses use just 2 rings
Basically.
[I][B]- Don't run random .exe files
- Make sure any drivers you are getting are from legit sources (avoid shady websites and Sourceforge)
- Make sure to read the comments of any "linux distros" you plan to torrent
- KEEP UAC ON FOR THE LOVE OF GOD, NO MATTER HOW ANNOYING IT IS[/B][/I]
And someone just found a kernel exploit in linux
[url]http://www.openwall.com/lists/oss-security/2015/08/04/8[/url]
[QUOTE=Rahu X;48416244]Basically.
[I][B]- Don't run random .exe files
- Make sure any drivers you are getting are from legit sources (avoid shady websites and Sourceforge)
- Make sure to read the comments of any "linux distros" you plan to torrent
- KEEP UAC ON FOR THE LOVE OF GOD, NO MATTER HOW ANNOYING IT IS[/B][/I][/QUOTE]
To add to your list, use Noscript (or equivalent). I see no reason to trust Java, Flash or Javascript by default.
im getting the impression that barely anyone understands the implications of this
[QUOTE=Rahu X;48416244]…[/QUOTE]
[QUOTE=MegaJohnny;48416298]…[/QUOTE]
I run exe files sequentially so i'm 100% safe.
No, seriously, pretty much everything on windows is done by downloading random crap off the internet and installing it because it has no centralized package repositories or source code available for most applications.
And it doesn't really matter if you have UAC or not if it's going to get exploited/bypassed.
Instead of crippling windows to the point of unusability run linux with chromium and pepper flash instead if you're concerned about anything bad happening because of this exploit (cryptolockerV2?).
Or/And buy a new cpu (if vulnerable)/switch to ARM if it ever gets fast enough for desktop use.
arm will never reliably beat i686
[QUOTE=Map in a box;48416508]im getting the impression that barely anyone understands the implications of this[/QUOTE]
There have only been 14 posts (15 with mine). That's not a great sample size. Besides this is very specific knowledge, even if you use computers for a living you may not understand the actual functions of a computer processor architecture and shit like that.
People know it's pretty not good, the article snippet even spells it out. Just because people aren't replying doesn't mean it's not being taken seriously. But there's only so much normal users are going to be able to understand.
[QUOTE=Map in a box;48416529]arm will never reliably beat i686[/QUOTE]
Can't think of any reason why it couldn't, and why i686 and not x86_64.
For your typical check-email user, this isn't really a concern in most OSs (assuming they don't have any special permissions such as installing drivers, programs, etc).
For power users and admins, its more of a threat as the permissions are there. Since all x86 processors are micro-coded, maybe you could construct a signal pathway that relays SMM access status to ring 0? Thus the kernel can notify the user or potentially trace the executable that's going into ring -2?
[QUOTE]a potentially serious vulnerability in x86 processors which allows for malicious code to be injected directly into the chip[/QUOTE]
there's only one way to stop this
[IMG]http://thumbs.dreamstime.com/x/computer-injection-medicine-injecting-notebook-abstract-concept-virus-killing-system-protection-55272089.jpg[/IMG]
Don't tell software manufacturers about this or they'll start requiring it for all their programs.
[QUOTE=Metalcastr;48417161]Don't tell software manufacturers about this or they'll start requiring it for all their programs.[/QUOTE]
Ubisoft 2016 DRM: Pirate our game and we physically destroy your hardware. You filthy pirate scum.
Well shit, i now have a pile of machines that are worth alot less than i really need if this becomes widespread.
A security blog I occasionally read say that you need Ring 0 access to do this and if you have that it's too late anyway so this is not very important.
[QUOTE=Handsome Matt;48415713]don't run random exes, uninstall flash & java and you'll be fine
[editline]adssad[/editline]
[URL="https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00045&languageid=en-FR"]intel are mitigating it already[/URL][/QUOTE]
But I need Java for Runescape....shit.
When any virus is running on ring0 you are already fucked beyond imagination anyway.
Oh shit, the return of the terror known as CIH?
[QUOTE=Handsome Matt;48415713]don't run random exes, uninstall flash & java and you'll be fine
[editline]adssad[/editline]
[URL="https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00045&languageid=en-FR"]intel are mitigating it already[/URL][/QUOTE]
How do I know what one is mine?
[QUOTE=eloreda;48422143]When any virus is running on ring0 you are already fucked beyond imagination anyway.[/QUOTE]
Exactly this.
No flash or java plugin is going to get anywhere remotely close to this, and if they do, stop installing all those toolbars and just clicking on everything.
I mean, for this to happen, you'd need [b]at least[/b] access to driver installation, which may be able to inject the required code, but may not.
[QUOTE=SuperDuperScoot;48415707]Jesus fuck, I thought viruses that could destroy my actual physical hardware was only in my nightmares but it's real??
Do we start panicking yet or is there more to this that isn't covered in the article?[/QUOTE]
[URL="https://en.wikipedia.org/wiki/CIH_%28computer_virus%29"]It's not just real, it's nothing new.[/URL]
[QUOTE=CoixNiro;48423449][URL="https://en.wikipedia.org/wiki/CIH_%28computer_virus%29"]It's not just real, it's nothing new.[/URL][/QUOTE]
Oh no, I knew that was real since I'm subscribed to a guy on youtube who specializes in old viruses, in fact CIH is what spawned those nightmares. At the time I thought that was just an isolated incident especially since it only worked on specific hardware, but now my view has been expanded.
And it is terrifying.
[QUOTE=Handsome Matt;48423829]The fix is only for their expensive server boards right now (probably because some of their biggest customers use them) the fix will be available in a BIOS update within a few months most likely, it's not really that big of a deal for home users.[/QUOTE]
This is gonna sound dumb but does the BIOS update automatically or is it manually?
Sorry, you need to Log In to post a reply to this thread.
