Multiple OS Vendors Release Security Patches After Misinterpreting Intel Docs

Almost all major OS vendors released security patches yesterday after a researcher discovered that some OS makers have misinterpreted an Intel CPU debug feature and left their systems open to attacks. From a report: The vulnerability is in how the OS vendors implemented a hardware debug mechanism for Intel x86-64 architectures -- and more specifically the MOV SS and POP SS instructions. "In certain circumstances after the use of certain Intel x86-64 architecture instructions, a debug exception pointing to data in a lower ring (for most operating systems, the kernel Ring 0 level) is made available to operating system components running in Ring 3," the CERT/CC team explained in an advisory published yesterday. Explained in layman's terms, "this may allow an attacker to utilize operating system APIs to gain access to sensitive memory information or control low-level operating system functions." Operating systems that mishandle this debug exception and had their systems open to attacks include Apple, Microsoft, FreeBSD, Red Hat, Ubuntu, SUSE Linux, and other Linux distros based on the Linux Kernel -- which is also affected.

Linux distros based on the Linux Kernel

yes there used to be one based on a BSD kernel, but now-a-days ???

Re: Linux distros based on the Linux Kernel

[darkain]

Windows Subsystem for Linux? SmartOS LX Branded Zones?

Re: Linux distros based on the Linux Kernel

[K.+S.+Kyosuke]

That was more of a GNU (+friends) distribution rather than a Linux distribution, wasn't it?

Re: Linux distros based on the Linux Kernel

[laffer1]

This is still a thing. https://www.debian.org/ports/k...

Re: Linux distros based on the Linux Kernel

Linux based on BSD userland exists (BSD/Linux). Linux based on BSD kernel is simply GNU/BSD.

Re: Linux distros based on the Linux Kernel

WSL is everything _except_ the Linux kernel... It's the opposite of WINE.

Wow ...

Operating systems that mishandle this debug exception and had their systems open to attacks include Apple, Microsoft, FreeBSD, Red Hat, Ubuntu, SUSE Linux, and other Linux distros based on the Linux Kernel -- which is also affected.

That must have been some seriously badly written documentation if that many things made the same mistake.

That inspires confidence.

Re:Wow ...

[mikael]

The documentation can be found here on page 2876 of this PDF file

https://software.intel.com/sit...

"6-8 Vol. 3A
INTERRUPT AND EXCEPTION HANDLING
If an interrupt or exception occurs after the new SS segment descriptor has been loaded but before the ESP register
has been loaded, these two parts of the logical address into the stack space are inconsistent for the duration of the
interrupt or exception handler (assuming that delivery of the interrupt or exception does not itself load a new stack
pointer).
To account for this situation, the processor prevents certain events from being delivered after execution of a MOV
to SS instruction or a POP to SS instruction. The following items provide details:
  Any instruction breakpoint on the next instruction is suppressed (as if EFLAGS.RF were 1).
  Any data breakpoint on the MOV to SS instruction or POP to SS instruction is inhibited until the instruction
boundary following the next instruction.
  Any single-step trap that would be delivered following the MOV to SS instruction or POP to SS instruction
(because EFLAGS.TF is 1) is suppressed.
  The suppression and inhibition ends after delivery of an exception or the execution of the next instruction.
  If a sequence of consecutive instructions each loads the SS register (using MOV or POP), only the first is
guaranteed to inhibit or suppress events in this way. Intel recommends that software use the LSS instruction to
  load the SS register and ESP together. The problem identified earlier does not apply to LSS, and the LSS
instruction does not inhibit events as detailed above"

Why document the MOV SS and POP SS instructions first, when the safer option is the LSS instruction.

This seems to be the problem with technology these days. We are offered a dozen different ways of doing things in C++
or assembly language, but only one way is the fastest.

Sounds not like Intel's Poor Writing/

If several unrelated Companies made the exact same error it is more likely poorly written documentation.

Re:Sounds not like Intel's Poor Writing/

What then, is Intel's liability for poorly written docs. Given the nervous sensitivity around CPUs at this time, they should know better and pay attention. Maybe they can pay in $$ to every CPU owner? :)

Re:Sounds not like Intel's Poor Writing/

I used to work with a guy, AT A UNIVERSITY RESEARCH INSTITUTE where we were computer security researchers, who believed that all security usability problems were problems with users lacking discipline. (Mind you, we were both greenish in security and this was 99% M2M IoT security research, so we couldn't do much damage ourselves.) Nevertheless, I was speechless. Couldn't convince him otherwise. Blew my mind that someone could even think this. But, I had to realize: this is a pretty common view for engineers to have. I did it right; the luser just can't get it. Maybe they need to incorporate the concept of user-friendly design, particularly its importance for safety and security attributes, into the ethics course(s) in engineering schools.

Re:Sounds not like Intel's Poor Writing/

[skids]

(snark)

Well, maybe he was right. In this case, the engineers were the users who lacked the discipline to test the veracity of the documentation for the closed system for which they were writing their... pfeh... OS code. Real men design microcode dispatchers.

(/snark)

Re: Sounds not like Intel's Poor Writing/

That is just the egos in academia where âoeif you cannot understand it you are an idiot âoe view is almost universal and âoeif others cannot understand it i must explain it betterâ almost non existent.

AMD

[williamyf]

AMD is affected too...

So, my question is:

Why a developer, developing for AMD-64 on top of AMD Hardware (think Athlon, Buldozer, Ryzen/Epyc et al) would be using an "INTEL's" Docs?

Shouldn't said developer be using AMD's documentation? If so, then, how said developer was also afected?

Re:AMD

[David_Hart]

AMD is affected too...

So, my question is:

Why a developer, developing for AMD-64 on top of AMD Hardware (think Athlon, Buldozer, Ryzen/Epyc et al) would be using an "INTEL's" Docs?

Shouldn't said developer be using AMD's documentation? If so, then, how said developer was also afected?

I don't know the answer. But I believe that the AMD design is, in part, based on the early reverse engineering of one of the early Intel CPUs. It's quite possible that this issue is present in both because the instruction design is the same for both.

Re:AMD

Because this issue is dealing with issue orders in the x86 instruction set that was Intel developed. I'm not familiar enough with what the problem is to know if it was part of the 64-bit extensions that were AMDs contribution to the current x86-64 instructions or not but since it is affecting both Intel and AMD chips both of them were doing things the same way. My understanding however is this instruction goes back before the 64-bit extensions so it was likely Intel.

Re:AMD

AMD was intel's 2nd source in the 80's and made 8086 and 80186 designs under license from Intel. This was before they designed their own compatible.

Re:AMD

[Megol]

No AMD isn't affected. Intel isn't either. The problem is in software, it's the software that is affected.

AMD implements the x86 ISA which was designed by Intel and second sourced by AMD for a while. AMD then started designing their own CPUs based on the same ISA as they had a license that let them do that (as decided by a court of law). They have reverse engineered and used documented sources to make their processors compatible with those of Intel.

So if the hardware works in some specific way (with a few exceptions) then Intel and AMD will work the same. This is ignoring some processor extensions not always implemented by both companies.

Re:AMD

[Khyber]

"Why a developer, developing for AMD-64 on top of AMD Hardware (think Athlon, Buldozer, Ryzen/Epyc et al) would be using an "INTEL's" Docs?"

You don't fucking belong here. AMD and Intel cross-license all kinds of shit to each other for the x86-64 uArch.

Nursing home time for you.

Re:AMD

[UnknownSoldier]

TL:DR; Cross Licensing

Intel cross licensed the x86 stuff (32-bit) to AMD.
AMD cross licensed the AMD64 stuff (64-bit) to Intel.

The longer version:

Intel and AMD got tired of suing each other over patents. They have a LONG history of cross licensing agreements. They renewed it in 2001 and again in 2009.; AMD clarifyied the deal in 2015

It is only natural AMD would use Intel's docs as part of the verification process for the 32-bit stuff.

You can search intel amd cross license agreement for more info. but the agreement are (usually?) confidential.

Re:AMD

[BronsCon]

Anyone who belongs in a nursing home is old enough to know what you just stated. I think you meant daycare.

Re: AMD

the standard is literally called amd64. and people still think amd is a intel copycat.

how can people be this dense?

Re:AMD

[AvitarX]

Why did every software developer (well Linux, Apple, and MS) get this wrong, yet AMD got it right?

That's interesting to me, it seems like Intel and AMD share more than just docs (which makes sense, but still interesting).

Re:AMD

Why did every software developer (well Linux, Apple, and MS) get this wrong, yet AMD got it right?

That's interesting to me, it seems like Intel and AMD share more than just docs (which makes sense, but still interesting).

Well, the article seems to point to something specific about the way Intel implemented AMD64.

Re:AMD

[mikael]

It goes back decades to 1997. Back then, all the big workstations companies were making their own 64-bit processors; Intel, DEC (the DEC Alpha chip), Sun (SPARC) and MIPS.

DEC and Intel got into a lawsuit, and settled for $700 million. DEC was eventually split in into bits, neither of which kept the original designers.
https://www.wired.com/1997/10/...
https://www.extremetech.com/co...
https://www.pcworld.idg.com.au...

DEC and ARM also cross-licensed each others patents, signed before the Intel lawsuit.
Plus many of the designs are based on the original paper by Tomasulo:
https://en.wikipedia.org/wiki/...

Re:AMD

Hardware engineers are better at reading the docs.
Software guys just scroll through and guess at what they think it should do.

Re:AMD

[Khyber]

No, because even children have a better time remembering than old people. That's why it's called senility, for OLD people that now forget such basic shit.

Re:AMD

[BronsCon]

But a child wouldn't remember something before their time.

Re:AMD

The x86-64 (aka amd64) instruction set was developed by AMD while Intel was pursuing IA-64. IA-64 wasn't compatible with the existing x86 instruction set while x86-64 is just an extension to it, which is one reason the AMD architecture won out (otherwise legacy code couldn't run and everything would have needed recompiling rather than phasing it it over a decade).

It's quite possible that the x86-64 instruction that is the problem originates in the older Intel x86 specification.

Re: AMD

[Brockmire]

Because x86 came before that.

Princess Bride moment

[WoodstockJeff]

You keep using that instruction. I do not think it means what you think it means.

Re:Princess Bride moment

[K.+S.+Kyosuke]

Process Bride?

Re:Princess Bride moment

Hello, my name is PA-RISC and you killed my architecture. Prepare to die.

Re:Princess Bride moment

One of the episodes in the original Star Trek. A good one too.

Re:Princess Bride moment

[skids]

Ahh, if only mod points went higher than 5.

Just for clarity

"Apple" and "Microsoft" are not Operating systems. But point still understood. In short, a very highly represented subset of all workstation users.

Understandable

[PingSpike]

Intel probably just had the same guy that drafted the spectre/meltdown response press release write the document and he was kind of on a roll with the whole misdirection thing.

Re:Understandable

[Marxist+Hacker+42]

What I don't get about spectre, meltdown, and now this- is why any *single user* computer cares about accessing the user's own data, regardless of what ring they are in.

Isn't this only a problem for servers and multiple user computers? Why patch user level OS for this?

Re:Understandable

[caseih]

Not at all. You may be the only human user on your system but every day you bring untrusted data and actually programs onto your computer in the form of web pages. With these vulnerabilities, a rogue JavaScript program running in a web site could grab your passwords sitting in memory for other processes. In fact one of the meltdown exploits first demonstrated was in JavaScript. So it's a bigger deal than you think and it does affect you even though you don't run a server and are the only user on your computer.

Re:Understandable

[jittles]

What I don't get about spectre, meltdown, and now this- is why any *single user* computer cares about accessing the user's own data, regardless of what ring they are in.

Isn't this only a problem for servers and multiple user computers? Why patch user level OS for this?

For a variety of reasons. For one thing, the same kernel may be used in both single and multi-user environments. For another, what’s the point of having a root account, with sudo, or UAC, or whatever your access restriction is if a malicious program can easily circumvent those protections and operate at ring -1 or whatever ring that exception is handled at? Just remember that even a single-user may not realize what instructions are being executed on their machine through javascript, or some piece of software that they downloaded. This could be used to open up the entire system to the malicious user’s control by disabling security settings or enabling services that would have required a privilege escalation to complete.

Re:Understandable

[Nkwe]

What I don't get about spectre, meltdown, and now this- is why any *single user* computer cares about accessing the user's own data, regardless of what ring they are in.

Isn't this only a problem for servers and multiple user computers? Why patch user level OS for this?

Because while you may think your computer is "single user", if you are on the Internet (well the Web anyway), there are other "users" actually using your computer. These "users" are things like scripts running on web pages and any malware that you may have obtained. Sure the "user" isn't another person, but it is a process or may come from an actor that may not have good intentions. The same is actually true for any software that you install and didn't write yourself (which is most of it.) Because of this even single user computers have the concept of secure areas or sandboxes where you can run untrusted software. It may be helpful instead of thinking about multiple users, think about multiple security contexts. The issue here is that there are low level instructions normally used by software developers debugging software that allow programs in sandboxes to get out of the sandbox and apparently the documentation that describes this is not clear.

All this being said, modern operating systems *are* multi-user. Sure, one person may own the computer and only create one account on the computer, but the operating system allows you to have multiple logins.

Re: Understandable

Not everyone is some stupid nosy-little gamer that has problems with "hacking" their .ini files like you happen to be!

Re: Understandable

comment above seem to try to make a joke. but there's no way all distros, kernel maintainers, apple, microsoft, etc would be duped if this wasn't a intentional and well executed misdirection.

curious to find the original documents given to them (covered under NDAs I guess)

Re:Understandable

[sexconker]

The "users" of the computer are the various chunks of code running on it and, ultimately, whoever they phone home to.

Unless you audit and understand all code running on your system, you have to prevent programs from being naughty and reaching into some other program's cookie jar.

Re:Understandable

Correct. That, and all the sandbox escapesand vunerabilities over the years are why no sane person allows web sites to run javascript by default.

Re:Understandable

[Marxist+Hacker+42]

Isn't that why you browse with Lynx and turn off scripting?

Re:Understandable

If all my passwords are just sitting around in memory waiting to be retrieved, why do I need to enter them all the time?

Operating systems that mishandle...

[macxcool]

Operating systems that mishandle this debug exception and had their systems open to attacks include Apple, Microsoft, FreeBSD, Red Hat, Ubuntu, SUSE Linux, and other Linux distros based on the Linux Kernel -- which is also affected.

Apple, Microsoft, and Red Hat are not operation systems ;-) Also, I think most Linux distros are based on the Linux Kernel.

Re:Operating systems that mishandle...

[fibonacci8]

... Apple, Microsoft... Red Hat... and other Linux distros... Motion to have the sentence taken out back and shot.

NetBSD and OpenBSD "Not Affected"

[Ichijo]

Good work, BSD teams!

Re:NetBSD and OpenBSD "Not Affected"

[afidel]

Yeah, looked for OpenBSD and wasn't all that surprised that they weren't affected. Theo is a bit of a douche to work with but he's usually right when it comes to security. OpenBSD also wasn't vulnerable to Meltdown and the OS level variants of Specter because he was already paranoid about cache flushing when thunking between rings due to an earlier Intel bug that he didn't believe was correctly addressed.

Re: NetBSD and OpenBSD "Not Affected"

Oh yeah? And what about your cozy little problem with Linux compatibility you Mormons!

Re: NetBSD and OpenBSD "Not Affected"

We need more theos. Less potterings.

Re: NetBSD and OpenBSD "Not Affected"

Linux compatibility?? Are you a Mormon??!

Re: NetBSD and OpenBSD "Not Affected"

[Mr.+Competence]

Oh yeah? And what about your cozy little problem with Linux compatibility you Mormons!

Mormons are fully Linux compatible. Some of them even use BSD.

Re: NetBSD and OpenBSD "Not Affected"

O RLY?!

NSA backdors

It's good to see these NSA backdoors being closed, one by one.

Re: NSA backdors

Are you windows user? Cause nobody intelligent could write such a thing? Oh yeah the old mantra. Everything is mmkay if you are careful but it's not and this may result in human extinction! Because liberty also means right to have privacy and privacy separates us from animals! That's what I meant by extinction. Think about it. Tl'dr You are mammals.

Re: NSA backdors

That must be some good crack you have there

To be fair

[JOstrow]

If the custodians of every major OS misinterpreted the same document in the same way, shouldn't we consider that the document itself is suspect / at fault instead?

Re:To be fair

[wonkey_monkey]

If the custodians of every major OS

Windows isn't on the list, but I don't know if that means it's definitely not affected.

Re:To be fair

Beat me to it. If every major software vendor makes the same "mistake" in interpreting docs, clearly the docs are the problem.

Re:To be fair

[Medievalist]

Operating systems that mishandle this debug exception and had their systems open to attacks include Apple, Microsoft, FreeBSD, Red Hat, Ubuntu, SUSE Linux, and other Linux distros...

Windows isn't on the list, but I don't know if that means it's definitely not affected.

I've heard that Windows is the name of Microsoft's Operating System.

Could be fake news, I guess? Maybe Russians al up in ur nets?

Re:To be fair

[yorgasor]

" Operating systems that mishandle this debug exception and had their systems open to attacks include Apple, Microsoft, FreeBSD, Red Hat, Ubuntu, SUSE Linux, and other Linux distros based on the Linux Kernel"

I'm pretty sure Windows falls under the 'Microsoft' category.

Re: To be fair

Damned Putin and his 128 trilobite IBM pcs

What about Windows?

[wonkey_monkey]

Given that Windows - by far and away the most-used operating system - isn't on the list, are we supposed to assume it's safe?

A confirmation either way would be nice, given the seriousness of the problem.

Re: What about Windows?

Windows isn't safe period.

Re:What about Windows?

Given that Windows - by far and away the most-used operating system - isn't on the list [...]

Reading comprehension isn't really your strong suit, eh?

Re:What about Windows?

Windows is probably number 2. Linux is clearly number one because of embedded devices, IoT, android phones, etc.

Re:What about Windows?

[yorgasor]

"Operating systems that mishandle this debug exception and had their systems open to attacks include Apple, Microsoft, FreeBSD, Red Hat, Ubuntu, SUSE Linux, and other Linux distros based on the Linux Kernel"

It's safe to assume that Windows falls under the 'Microsoft' category.

Re:What about Windows?

[wonkey_monkey]

There's nothing wrong with my reading comprehension. It's my reading itself that needs work...

Malicious updates

Multiple OS Vendors Release Security Patches After Misinterpreting Intel Docs

I guess I am not affected since I am still on XP with no updates.

Re: Malicious updates

Yes you are. Except ransom ware. Just as people with no internet are immune to browser wars haha.

fip

[AndyKron]

Face in palm.

Enjoy your downmod & "surprise" (lol)... apk

See subject: I've started porting APK Hosts File Engine to Linux via FreePascal & Lazarus, so soon I'll be "honoring" requests put to me here on /. from "penguins" to do so!

* So far I like what I see in KUbuntu 18.04 & FreePascal & Lazarus IDE (just like Delphi 2.0 & enough to get this done) - so far, so good!

So I don't have the TIME to bother w/ your bs as unlike YOU? I am doing constructive things in my program (& domestically in 'spring cleaning' + yardwork)...

APK

P.S.=> ... Lastly - I've been "steering clear" of posting JUST to see if you'd keep up your bs (you have) & I've seen others knowing you're "fake apk" as they called you & them telling you to "F"-off as you "impersonate" me etc. - so your bs is backfiring on you... apk

Clear and concise documention

That is why you always leave a note, with clear and concise documentation.

Oh, NOW I get it.

[ambrose.carracho]

Explained in layman's terms, "this may allow an attacker to utilize operating system APIs to gain access to sensitive memory information or control low-level operating system functions."

@msmash: I, for one, laud your biddable rectitude anent proffering pleonasm-eschewing elucidationary paraphrasing. Kudos!

You just proved you're a SOYBoy (lol) then

See subject SOYBoy (rotflmao) in your UNIDENTIFIABLE anonymous "courageous" trolling you "not man" - LMAO!

(You know - I understand your SOYMilk & Bisphenol A "notman" SOYBoy formulas have addled your brains but that takes the cake for "illogic logic" from "your kind", lol!)

* The other poster's not I but they are making you get all "triggered" when you see your addled thinking fools nobody but your sick in the head chemically NEUTERED (lol) selves, lmao!

APK

P.S.=> Classic - one for my bookmarks... apk

Make sure you add tags to your book marks

add the tags "grammar" and "incoherent rambling". You can go back and reflect on these posts. Please use them to learn to speak like a human being.

I'm guessing APK is on something much stronger than soymilk to have "addled" his brain.