Slashdot Mirror
Kaspersky To Demo Attack Code For Intel Chips
snydeq writes "Kris Kaspersky will demonstrate how attackers can target flaws in Intel microprocessors to remotely attack a computer using JavaScript or TCP/IP packets, regardless of OS. The demo will be presented at the Hack In The Box Security Conference in Kuala Lumpur in October and will show how processor bugs can be exploited using certain instruction sequences and a knowledge of how Java compilers work, allowing an attacker to take control of the compiler. The demonstrated attack will be made against fully patched computers running a range of OSes, including Windows XP, Vista, Windows Server 2003, Windows Server 2008, Linux, and BSD. An attack against a Mac is also a possibility."
At least I know I'm safe because I run... Oh, crap.
How can I believe you when you tell me what I don't want to hear?
...demonstrate how you can make a 1GW fusion reactor out of nothing but a sweaty gym sock and the corpse of a field mouse.
No, seriously. 100%. Cross my heart.
It's OK I run hurd.
...hack everywhere
I don't have an OS installed on my computer.
Nyah nyah.
I'm sure Intel will release a patch. ;)
If fate makes you a motorcycle, you become a motorcycle.
So is it Java or Javascript? Either the summary is wrong or this guy doesn't even know the difference between the two.
will show how processor bugs can be exploited using certain instruction sequences and a knowledge of how Java compilers work
Huh? Javascript != Java!!!!
Monstar L
a knowledge of how Java compilers work
Hrm, seems like he's counting on things happening in a certain sequence. So, perhaps a JVM could do more stuff in an unpredictable order? Perhaps using an SSA representation and context switching threads? Yeah, slightly more expensive, but let Firefox turn it on for me when I'm running untrusted code.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
No... wait....
---- Teach Peace. It's Cheaper Than War.
Their new processors can have their microcode updated, and indeed they do update it with BIOS updates. Dunno if people would bother to update their BIOS to patch it, but yes Intel processors can be patched in the field.
no amount of tinfoil can protect me from this exploit. Only one thing left to do...
*unplugs ethernet adapter*
[NO CARRIER]
One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
Indeed. And are you going to make patches publicly available for all the hardware and operating systems in the world, too?
1 in 4 Maine children in struggle with hunger.
An attack against a Mac is also a possibility
That's a bit of a conjecture isn't it? Can we at least have a demonstration?
Don't Intel processors contain a flash area? And, if so, what can it be used for? Can it be used in some way to fix or bypass this?
That's right. Another pro for Sun machines.
I thought it was the year of the Linux desktop
I run Hurd through an emulator on a Plan 9 box. hack that!
That's a lot of work. If you were smart like me, you would have done what I did and saved that time by building an x86 clone in your mom's garage!
... Windows XP, Vista, Windows Server 2003, Windows Server 2008, Linux, and BSD. An attack against a Mac is also a possibility.
Why don't they just say... "any computer that has an Intel chip?".. shock value I guess.
Do we have a list of the processors affected by this? Or is this issue in ALL Intel processors?
And slow windows to a crawl.
I wonder if these exploits can be prevented using a filter in the compiler?
If it's via Java, then it must also depend some on the implementation. I doubt that IBM's java engine uses the same calls to the processor as Sun's, which means that there is further abstraction that the claim has to somehow deal with.
Now, on the opposite side of the argument, there's the issue of what happens if the claim is justified. If this is a remote exploit that is truly OS-independent, then it is a remote exploit that can hit OpenBSD, Trusted Solaris, and other secure OS'. These are OS' used for commercially-sensitive work and classified work. If they are potentially vulnerable to attack, that could seriously impact a lot of organizations that, well, really aren't going to like it. In the event of a conflict flaring up between Intel and the US Marines, we may see them moving the bombing practice areas for their aircraft into the North American mainland after all.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
JavaScript can has Java compiler?
Does that mean you can patch your Java compiler?
They call it a flaw, while I call it a backdoor.
They're using their grammar skills there.
Having been involved in compiler work I'm very surprised. I've had to code round some processor faults (and very annoying they are to diagnose too) but I would never have expected that what went out could be subject to attacks like this.
thou discernest my thoughts from afar
Now I have to wrap the whole house in aluminum foil!!
... how Java compilers work, allowing an attacker to take control of the compiler ...
Now I know why javac stole my vacation pictures. It was driven by an attacker!
...unless there is CPU errata that Intel hasn't fixed for years. We've got the chicken-little "the sky is falling" reaction going on here but (unless I'm seriously misguided) Intel fixes their errata.
My personal view is that such malware may only be able to take over a very small percentage of systems out there. The scope may be limited to something as (relatively) rare as an Intel Core 2 CPU within a specific FSB range and specific stepping. Throwing all those factors together, I doubt any such errata would encompass more than 10% of the PCs out there. Considering how many different variations of CPUs are out there--Intel/AMD/Via, Pentium-D/Core 2/Xeon/Pentium-M/Pentium 4, FSB differences, stepping, etc.; such malware might be extremely dangerous for a very small subset of Internet-connected PCs.
Now, if a malware author knows of a CPU bug that Intel/AMD does not know about, then this could be extremely serious, encompassing multiple generations of CPUs...
Windows 3.1x calc: 3.11 - 3.10 = 0.00
Will DemocRATS be the target?
From a secure, undisclised bunker in Paraguay,
Kilgore Trout
http://conference.hitb.org/hitbsecconf2008kl/?page_id=214 - Remote Code Execution Through Intel CPU Bugs
After I RTFA I found the hitb.org abstract; better than Inforworld, but still not too informative.
and this one ranks among the hallowed few best described as "excuse me, i just crapped my pants"
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Must...get...(my old)..PowerPC...working.
Of course, I plan to store most my work on an x86 fileserver....
As seen on today's TV schedule for Discovery
Now showing: Intel, when code attacks.
Next show: Lasers.
Next week: Shark week.
Carbon based humanoid in training.
If the fundamental flaw is BOTH the way intel chips execute code and a primitive in Java, that could be dangerous.
I could get all snarky and tell everyone I buy AMD, but I wouldn't be too confident that a similar exploit couldn't exist there either.
This is all possible if...
You need to reliably produce a series of instructions on a typical jvm. This doesn't present a problem as primitive expressions probably get predictable JIT sequences,
The next question is what kind of exploit? Are you running native x86 code? If so, you are still limited by the OS level protection. If you can then create an exploit that elevates your permissions that doubly bad.
One more snarky comment. I don't like JITs. I like my interpreted code interpreted, and I like my binary code native. I prefer something like a PHP model where you put glue in PHP and hard code in a C extension or a service.
> The government just supplies a cheap alternative that people elect to use.
No my statist friend, we don't 'elect' to use the USPS if we can avoid it. But we don't have a choice in some cases because the US Government grants a monopoly on letter delivery. UPS and Fedex can deliver freight and because nobody thought it possible and thus Congress didn't forbid it in time, overnight letters. Notice how totally the private competitors dominate the postal service in those catagories? How many YEARS it took for the postal service to even attempt an overnight delivery service... that still only promises (as in refund you money for being late) 2-3 day delivery between most endpoints.
Do you really think UPS couldn't eat the postal service's lunch on 1st Class postage if they were allowed to compete? Of course they could, which is why the Postal Workers unions make damned sure Congress never even brings the subject up. They would probably have to adopt the same subsidy tactics as the USPS, i.e. use bulk mailers to subsidize 1st Class postage. But not being a government agency, once they demolished the USPS would restore actual market forces. So you would end up paying a bit more to send a letter AND get a bit more paper spam. But mail would flow quicker and with greater reliability.
Democrat delenda est
Intel doesn't fix the vast majority of the bugs. Just look at a so-called specification update of Core Solo/Duo.
That a white hat shows that is possible don't exclude the possibility that black hats already found and are actively exploiting it.
Would be interesting to know the line of processors affected, or a tool that shows that one is vulnerable (ok, maybe is not so great idea, lot of malware disguise themselves as vulnerability checkers). Or if there any practical limitation on what they can do (i.e. if it is very dependant on processor model, jvm used, OS version and so on).
And, of course, what can of protection we have in the worst case (that this start to be widely exploited in the wild). Firewalls dont work here, probably antivirus will be useless too, my best bet is noscript and similar programs.
I guess this might give a nice boost to finally opening the horrible old, buggy, slow proprietary BIOSes.
http://www.fsf.org/campaigns/free-bios.html
Sounds just like it to me; and I remember the crap Theo had to put up with for his keen observations.
Democracy Now! - uncensored, anti-establishment news
Most machines have Flash chips, OpenBIOS is an OpenFirmware (IEEE 1275-1994) open source alternative with Forth interpreter built in, FreeBIOS will let you bootstrap an OS kernel like Linux (some forms of Windows are also doable), and even Intel's Tiano (used as the basis for many modern BIOSes) is under the BSD license. The range of supported chips, given the three different systems available to you, is vastly superior to the range you can install any commercial BIOS on. Support for industry standards is also vastly superior to many commercial offerings. I say let the commercial BIOSes rot in the cesspit of their own making, and use the technologies that are already available to you.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
So what was the problem again?
---- Booth was a patriot ----
Well at least you won't care that your system got rooted...
Big question here. Why the hell are they demoing an exploit which can't be patched? Isn't that kind of...I don't know...nihilistic?
If you quote this signature there'll be 72 copies of Windows ME waiting for you in Heaven.
The only thing I got from that was "slave drone troll" So I'll assume you are speaking in trollish, and a dialect I'm not familar with. At any rate, I was wondering if you would be so kind as to give me your bank account number, as I have a large sum of money that I need to secure for this prince friend of mine...
From the conference description -
"both local and remote attacks which works against any OS regardless of the patches applied or the applications which are running."
"Some of the bugs that will be shown are exploitable via common instruction sequences and by knowing the mechanics behind certain JIT Java-compilers, attackers can force the compiler to do what they want (for example: short nested loops lead to system crashes on many CPUs)."
How is it regardless of the OS or patches if you are relying on certain Java compilers? and certain instruction sequences? Wouldn't the software control which instructions sequences were being called. This sounds like completely BS.
If malware based on this "attack code" got into the wild, it sounds like one of the attack vectors would be malicious Web sites (which is nothing new). As many security researchers have been recommending for years, turning off JavaScript and other active content by default will greatly reduce the potential for infection, even from many kinds of as-yet undiscovered exploits. A good way to do this with Firefox (without ruining compatibility with trustworthy sites) is to install NoScript, which allows you to whitelist trusted sites while allowing you to block scripts, Java, Flash, Silverlight, other plug-ins, etc. on every other site by default.
Of course, if the flaw lies in the microprocessor, then there are certainly other potential attack vectors than just malicious Web sites.
Someone pointed out that Intel processors are BIOS-upgradeable. What about computers based on EFI instead of BIOS, such as all the Intel-based Macs?
Also, as someone else pointed out, the headline is extremely misleading. The security researcher Kris Kaspersky is not affiliated with Kaspersky Lab or Eugene Kaspersky, but he's apparently the author of a number of books on programming and other computer subjects.
the JoshMeister on Security
... we're reminded of the inherent dangers of a monoculture.
Didn't there used to be an old saying about not putting all your eggs into one basket?
How many more forms of this sage advice can we come up with?
It says something about the collective intelligence of our vaunted "market" economy, no?
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
> Cut it out! No amount of magic spells are going to mitigate this damage!
Yeah, you need a saving throw to do that.
Comment removed based on user account deletion
By the power vested in me by mod points, I hereby declare this the one true name of this exploit. All others are fakes.
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
AppleTalk is the way to go... make the switch NOW, before it's too late!!
If you can read this... 01110101 01110010 00100000 01100001 00100000 01100111 01100101 01100101 01101011
It's another case of "security research by press release, you can have the details in X months. in the mean time, I'll pump the PR wires".
Show us the code, or pipe the fuck down you attention whore.
So in summary, I can hardly contain my anticipation. *rolls eyes*
Do you really think UPS couldn't eat the postal service's lunch on 1st Class postage if they were allowed to compete? Of course they could, which is why the Postal Workers unions make damned sure Congress never even brings the subject up.
Can you actually point to the section of the US code that prohibits a third party from delivering first class style mail? I mean, if a private company wanted to sell a service moving an ounce across 3000 miles for 50 cents, they could. IT's just, you'd have to be able to go to Wall Street and say, "well, once you invest in 100,000 delivery vans and thousands of local offices, then, I can go and compete with the USPS in a market segment that's slowly dying." It just doesn't look a business that has any upside to it.
The other thing, too, is, that, being a quasi government entity, the USPS has to actually deliver to everyone. UPS doesn't. So, yeah, theoretically, if you privatized the mail, you might find out that actually wouldn't get -any- mail at all unless you lived in the more densely populated areas of the country.
In any case, now's exactly the time to be touting the miracles of capitalism, when, the we the taxpayers of the United States might be about to double the debt of the Federal Government winds up having to do an Amtrak on what's left of our mortgage and finance industry. Yeah, talk to me about the miracles of the private sector right when you go look at the price of Bear Sterns, Countrywide, National City Bank, Lehman Bros, and other stocks. Fine bunch of capitalists, they are, all getting bailed out in one way or the other by, wow, of all things, that grossly incompetent government.
This is my sig.
At least I know I'm safe because I run... PPC!
Look at the bright side people, at least this exploit isn't trivial to exploit, so we wont have to worry about 90000000000 script kittens breaking the interwebs. If the "finder" (HAHAHA) releases working PoC with a root shell tho or a fucking metasploit module (not likely) then he is the biggest twat, more so than he already is now for releasing this sensative vulnerability. I'm not all 100% behind nondisclosure but this is one of those things you should STFU about.
Nice one Kaspy
I don't remember any "BR" intsructions for the 6600 - then again my exposure to the CDC 6600 instruction set was from an assembly language class I took just over 35 years ago (man, I'm getting old...). I still have my copy of Grishman handy, and while it had a section on branch instructions, the instructions were referred to as "jumps". I'm not that familiar with the 3000 series instruction set (the 3000's were silicon transistor remakes of the germanium transistor 1604), so there might have been branch instructions for the 3000.
Dunno which CDC processor that might have been. With the various Cyber machines I worked with, one standard way to hang a process was to do an EQ * (branch to self); JP * was equally effective. It didn't hang the machine, just the process, and could easily be killed through NOS. In fact, standard practice was to make subroutine entry points be EQ *, so if you somehow entered the routine before it ever got called the process would hang. I never did that, I used PS, so the process would just halt immediately. All the operators ever did with a hung process was to drop it and cause the same crash dump that the PS did.
The HiTB Security Conference in KL website is at http://conference.hackinthebox.org./ see you chaps in KL !
Computer security needs to be more focused on in the media. Remember, companies like Intel spend a lot on marketing. How many places haven't got an Intel sticker. I think we would have a better situati on today if the market was not so monotonic. I think this is a lesson for Intel that they cannot continue doing their business like they are currently doing. It will lead to a big disaster in the end. When half the world has the latest gratest chip with the latest greatest backdoor that not even the latest greates computer hacker can fix :-)
I'm using browser with disabled scripting ( Java script, Visual Basic Scripts, ActiveX, Siverlight ) and I got infected yesterday while meta moderating. I followed link to gnaa.org or something like that and picked up trojan that copied Internet Explorer cache, history and favorites into the Documents and Settings/
After killing the Explorer.exe I was able to delete some of the files, and the rest was converted into the unusable files by Microsoft scandisk after I reseted my PC.
It seems that some slashdot trolls use 10+ years old bug in windows JPEG decoder used by my internet browser.
I'm using unpatched Windows XP SP2 with most of the Windows services disabled. I'm behind NAT. My PC was infected several times in 3 years, mostly form running the infected files. Story from the headline most likely refers to the Windows XP PC's that have direct internet connection. PC running Windows XP SP2 is quite safe if it is behind the NAT and firewall and if browser has NoScript or similar plug in as You have pointed out.
Someone pointed out that Intel processors are BIOS-upgradeable. What about computers based on EFI instead of BIOS, such as all the Intel-based Macs?
The BIOS upgrade works around bugs in CPU and chipset, it does not fix the CPU or the chipset. I doubt that Apple needs to update EFI as it was the first one to officially point out bugs in Intel CPU.
Some Intel CPU's allow microcode update. As far as I know Microsoft and Apple inclided microcode update in one of the patches.
I'm OK - I run ARM Linux :)
"It doesn't cost enough, and it makes too much sense."
The summary says javascript flaw, then it says java.
??
Isn't that the usual approach when other brands are equally vulerable?
Or is the Mac no longer the big prize it once was?
-- Boycott Shell
Intel chips open to hacks , four minutes to own a Windows machines connected to the Internet, the DNS system wide open to exploits, spam/viruses and phishing running rampant. Like what have these innovators being doing for the past decade.
'This is like deja vu all over again, Yogi'
davecb5620@gmail.com
Am I the only one that happened to read the /. write up on the Stealths being upgraded to Pentiums immediately before reading this article?
Now, of course, they shouldn't be using javascript (or java?) on Stealths, nor are the Stealth's chips likely to have the same bugs.
But it was kinda of a double-take inducing sequence of articles...
OK so he gets control of the Java compiler. What then? He is running as a normal user in a normal user account and he still has a long ways to go to take over a Linux or BSD machine.
If you want to run code as the user then it's simpler to just trick him. Write a trojan. "click here for free porn" should work well enough.
...that couldn't already be done through an OS vulnerability? First, for any code to even touch the CPU, it has to be executed. Is there another way to inject code into the CPU that I'm missing? And if the worst it can do is crash the computer, then won't people eventually learn not to [run that program/visit that web site]? The fact that it may be able to crash Windows, Linux and Mac computers that open the same program or web site isn't that exciting to me. And I can't see any way an attacker could leverage a CPU flaw into root access on every OS. Root access is an OS thing, not a CPU thing. Right?
If this were real, USAF would have hired him, hushed it up, and waited until a good time to start crashing machines overseas. The Great Firewall isn't really a firewall, and if TCP packets can be sent to crash any Intel machine, then it'd be darn effective.
It seems so much like snake oil that it better not be true. I am glad that I have AMD in half my machines though, just in case.
And don't forget these folks... :-)
Living not far from the country where this conference will take place, I wanted to attend and apply for a pass. But to my great diception, the ticket is about 4000 ringits, or 900 euros, or 1200 USD. This is simply ridiculous! I will not go, unless I can convince my employer to send me there. And I was very surprised to see that Microsoft is one of the sponsors.