Researcher Exploits 18-Year-Old Design Flaw To Compromise X86 Chips

jfruh writes: Security researcher Christopher Domas has demonstrated a method of installing a rootkit in a PC's firmware that exploits a feature built into every x86 chip manufactured since 1997. The rootkit infects the processor's System Management Mode, and could be used to wipe the UEFI or even to re-infect the OS after a clean install. Protection features like Secure Boot wouldnt help, because they too rely on the SMM to be secure.

Was already known possible

http://www.infoworld.com/article/2653209/security/hackers-find-a-new-place-to-hide-rootkits.html

We already knew this kind of thing was possible, so I guess this is just the first practical implementation? The article is short on details.

Re:HA!

Doesn't matter. Any processor from Intel after 2011 no longer has the flaw...

Old bug; Intel knew about it in 2010; they fixed in 2011, now its on the frontpage of Slashdot in 2015..

Re:Right

[t8z5h3]

AMD really it was about tightening up communication's between the C.P.U. and ram by having the Memory controller on die (L2 Cache level of the 2nd core of the am2 athlon x2 processor but it must have been there before that because of the single core processors before dull core became a thing.) so it could effect amd computers back to 2005 ish. does that even sound right?

Details

The article is very vague.

They remap the LAPIC to overlap the SMM memory region which makes data loads of the SMM code fetch values from the LAPIC registers instead of from memory.
Here you can find the slides and the whitepaper of the Black Hat conference talk.

Exploit for machines that are already compromised

[Geoffrey.landis]

Design flaw my ass. I bet it was there deliberately and everybody knows who originally requested it. I just love the good ol US of A.

From the article linked:

"To exploit the vulnerability and install the rootkit, attackers would need to already have kernel or system privileges on a computer. That means the flaw cant be used by itself to compromise a system, but could make an existing malware infection highly persistent and completely invisible."

This doesn't let an outsider break into the system; it is a flaw that only is useful if you have already compromised the machine.

Re:Exploit for machines that are already compromis

[steelfood]

This doesn't let an outsider break into the system; it is a flaw that only is useful if you have already compromised the machine.

For a Windows machine, that's not a very high bar, especially in 1997 and all the way until... well, it's a little harder today, but not that much harder...

The problem is persistence. If you get root, you can get firmware and nothing short of throwing the motherboard away would fix it. That's scary.