Slashdot Mirror

← Back to Stories (view on slashdot.org)

Kaspersky To Demo Attack Code For Intel Chips

Posted by ScuttleMonkey on from the also-releasing-a-paint-by-number dept.

snydeq writes "Kris Kaspersky will demonstrate how attackers can target flaws in Intel microprocessors to remotely attack a computer using JavaScript or TCP/IP packets, regardless of OS. The demo will be presented at the Hack In The Box Security Conference in Kuala Lumpur in October and will show how processor bugs can be exploited using certain instruction sequences and a knowledge of how Java compilers work, allowing an attacker to take control of the compiler. The demonstrated attack will be made against fully patched computers running a range of OSes, including Windows XP, Vista, Windows Server 2003, Windows Server 2008, Linux, and BSD. An attack against a Mac is also a possibility."

12 of 303 comments (clear)

  1. Java or Javascript? by Yvan256 · · Score: 4, Insightful

    ... remotely attack a computer using JavaScript or TCP/IP packets ... can be exploited using certain instruction sequences and a knowledge of how Java compilers work

    So is it Java or Javascript? Either the summary is wrong or this guy doesn't even know the difference between the two.

  2. Huh? by antifoidulus · · Score: 3, Insightful

    will show how processor bugs can be exploited using certain instruction sequences and a knowledge of how Java compilers work

    Huh? Javascript != Java!!!!

    --
    Monstar L
  3. Quote by kellyb9 · · Score: 3, Insightful

    ... Windows XP, Vista, Windows Server 2003, Windows Server 2008, Linux, and BSD. An attack against a Mac is also a possibility.

    Why don't they just say... "any computer that has an Intel chip?".. shock value I guess.

  4. Re:They may by slimjim8094 · · Score: 4, Insightful

    If this can consistently crash my computer regardless of OS or browser, I'd sure as hell update my BIOS.

    This is a big deal.

    --
    I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
  5. you say tomato... by DragonTHC · · Score: 4, Insightful

    They call it a flaw, while I call it a backdoor.

    --
    They're using their grammar skills there.
  6. Re:Publicly available? by AlHunt · · Score: 4, Insightful

    >I see, so your argument is that if it can't be fixed by the discoverer,
    > they should keep it obscure.

    Yeah, we could have the oft-heard chicken or egg debate. But we both know where it would end up. One side would say "disclose everything right away" and the other side would say "give the vendors a chance to fix it first". See how much time we just saved?

    --
    1 in 4 Maine children in struggle with hunger.
  7. Re:Heh... by g0bshiTe · · Score: 4, Insightful

    Possibly, but as an AMD user myself I can't help but wonder if what can be done on Intel with this won't also open Pandora's box on AMD using the same or similar methods.

    --
    I am Bennett Haselton! I am Bennett Haselton!
  8. Interesting by mlwmohawk · · Score: 3, Insightful

    If the fundamental flaw is BOTH the way intel chips execute code and a primitive in Java, that could be dangerous.

    I could get all snarky and tell everyone I buy AMD, but I wouldn't be too confident that a similar exploit couldn't exist there either.

    This is all possible if...

    You need to reliably produce a series of instructions on a typical jvm. This doesn't present a problem as primitive expressions probably get predictable JIT sequences,

    The next question is what kind of exploit? Are you running native x86 code? If so, you are still limited by the OS level protection. If you can then create an exploit that elevates your permissions that doubly bad.

    One more snarky comment. I don't like JITs. I like my interpreted code interpreted, and I like my binary code native. I prefer something like a PHP model where you put glue in PHP and hard code in a C extension or a service.

  9. Reality check by jmorris42 · · Score: 3, Insightful

    > The government just supplies a cheap alternative that people elect to use.

    No my statist friend, we don't 'elect' to use the USPS if we can avoid it. But we don't have a choice in some cases because the US Government grants a monopoly on letter delivery. UPS and Fedex can deliver freight and because nobody thought it possible and thus Congress didn't forbid it in time, overnight letters. Notice how totally the private competitors dominate the postal service in those catagories? How many YEARS it took for the postal service to even attempt an overnight delivery service... that still only promises (as in refund you money for being late) 2-3 day delivery between most endpoints.

    Do you really think UPS couldn't eat the postal service's lunch on 1st Class postage if they were allowed to compete? Of course they could, which is why the Postal Workers unions make damned sure Congress never even brings the subject up. They would probably have to adopt the same subsidy tactics as the USPS, i.e. use bulk mailers to subsidize 1st Class postage. But not being a government agency, once they demolished the USPS would restore actual market forces. So you would end up paying a bit more to send a letter AND get a bit more paper spam. But mail would flow quicker and with greater reliability.

    --
    Democrat delenda est
    1. Re:Reality check by jonbryce · · Score: 4, Insightful

      You might think that would happen, but if the British experience of removing the monopoly is anything to go by, your postal service will get worse.

      We've always had overnight delivery, but then, Britain is a much smaller country.

      The private operators are only interested in business mail. DX will do deliveries for small companies. The rest of them are only interested in bulk mail, such as bank statements and utility bills. For the rest of us, Royal Mail are now charging more, because they get less of the bulk mail to subsidise personal mail, and they are becoming much less reliable at delivering it.

    2. Re:Reality check by Paradise+Pete · · Score: 5, Insightful
      Do you really think UPS couldn't eat the postal service's lunch on 1st Class postage if they were allowed to compete?

      .

      I don't know. To me it's pretty darn amazing that for 42 cents I can drop an envelop in a slot and a few days later it is hand-delivered to someone on the other side of the country. If that service didn't exist and you asked me to guess what it would cost, 42 cents would not be the answer.

    3. Re:Reality check by mOdQuArK! · · Score: 5, Insightful

      Actually, the main "valid" reason for the government providing letter service is to provide services to those geographic areas where the "free market" would flat out decide that it wasn't worth servicing those areas. If this wasn't a requirement of the USPS, they could easily drop all their rural routes & compete with any of the normal package carriers.

      Of course, whether or not we should be inefficiently supporting those remote rural areas is a whole 'nother area of debate. I'm sure there's a lot of small town supporters that would scream bloody murder if you argue that those small towns should be allowed to disappear by cutting off any form of government infrastructure subsidy for those locations.