Slashdot Mirror
Another PIII ID Exploit Found
Peter
Hernberg writes "We, it looks like someone has found another exploit
to get your PIII ID. The new story is here.. "
Cyrix and AMD are looking shinier each day.
← Back to Stories (view on slashdot.org)
← Back to Stories (view on slashdot.org)
OK - If you are worried about this, don't buy a PIII. Until the ID thing is REMOVED. Not 'disabled'. This has the potential to be another thing like that early first-generation Pentium bug...and remember how gracefully Intel handled THAT?
Meanwhile, Windows 98 is STILL broadcasting info without user consent, and M$ WebTV is STILL transmitting viewer habits without user consent.
Which violates more privacy?
No Windows, no WebTV, no PIII.
I'm sure there are those who will poo-poo these things, but I enjoy having the ability to look elsewhere for computing products - and I'd like to encourage those who provide such alternatives.
Yay competition!
First, I must comment:
I LOVED the line about how windows users are "used to seeing" the blue screen of death.
Its kind of said when an exploit can take advantage of the fact that a system crash is a regular occurence.
Two, I would just like to ask, does ANYONE know why the P3s are in any way better than the P2s? (Aside from a wimpy 100Mhz clock increase). I mean, get a dual 333 P2, are you're doing better. So even if I stuck with intel, WHY ON EARTH would anyone want a P3?
-Jaac (Just Another Anonymous Coward)
They are not trying to demonstarte the dangers of ActiveX, they are trying to say that the PIII's have a security flaw which can be exploited, in this case they are using an ActiveX module, it easily could be an application that you download to play some game or music that does the same thing and you would not know.
Gad... the place tries to warn consumers that the processor SN on their shiny new P-III can still be acquired without their knowledge or consent, and they're branded 'malicious' for it.
InSmell is simply trying to save face. I'll not be buying any of their overpriced silicon any time soon... same goes for Symantec, who was actually stupid enough to go along with the idea of declaring the program "malicious" instead of laughing in Intel's face as they should have.
Symantec was so much better before they were Symantec. The Norton Utilities were, before Ver. 6, actually useful for something.
Caveat emptor indeed!
It doesn't have to be craptivX that runs this, right? I can write a windows mail program that enables the PIII serial number during its installation and secretly signs each E-mail you send with the serial number, right? Of course, I'd probably just use the Windows serial number for that but it's nice to have my options open...
I believe bigger and better exploits are in the works.
-steve
When I tried to go to the exploit page, VirusScan NT says the page is infected it the virus "AX/CPU-Thief.dr" I guess it doesn't really matter for me anyway (i'm on a PPro)
It's been claimed that a PIII can forget you turned off the serial number (I think the exploit involves power-saver mode), and that unless code in the BIOS (called every time that happens) turns off the serial number again, you lose. Since Intel's answer was "yeah, BIOS vendors can fix it", I'm guessing it's true, that the user-space utility they originally claimed would fix it can't be relied on.
Allegedly a few P2s shipped with serial number support (so they'd know the process acutally worked). It isn't real likely, but you might want to check for this.
why not leave the ID # on an "unused" register after someone performs a triggering operation, like, say, "XOR 666"? if you did this carefully enough, no one would know about their chip ID unless they exhaustively reverse engineered one of the programs which was accessing it.
The declaration of a program to be a virus now has very serious criminal and legal consequences. Write a virus, go to jail. And spend the rest of your life paying off afflicted users. Remember that New Jersey guy and the Melissa virus?
That's what I'm going to do. You want to query my CPU ID? Fine. It changes every day or every hour or every query or whatever I decide. I already do this with cookies.
remember ENIGMA? the fedz could keep it quiet for as long as it takes...
It's a good thing that Intel didn't think of this
response when the fp divide bug was first uncovered. They could have just convinced Symantec to add Excel to the list of "viruses"!
Since we have the netscape code, couldn't we just modify it so that when the web sites query the cpu id, it just returns a given number. Say, that's an idea, we have a "slashdot" number, and it is always returned. Then, when a site is slashdotted, the logs could be examined to find the slashdot number, and how many slashdot users hit the site.
Microsoft has always been at the cutting edge with respect to communicating system failure to the user. In fact, the BSOD may qualify as a de facto industry standard and perhaps represents another attempt to decommoditize by embracing and extending.
However, M$ is not content to rest on their laurels, as this feature is rumored to be receiving a major upgrade in Windows 2000. W2K will likely ship in five different boxes, each with a different color (or "flavor", as the marketing people put it) for the system failure screen. This is one feature that seems to work very reliably in Windows.
No, those of us who have to deal with said machines don't get upset about them for that reason. Its more on the order of having to del with trying to get new license files for our node-locked software @ 3am because a processor toasted itself. Dealing with licenses tied to a processor is the biggest pain in the arse to deal with.
Hey, do this mean you know how to get the source? I had no success searching for the CIH source. I want to know how to flash my BIOS ;-)
Not to mention how ridiculously badly Inhell treats it foreign and older employees.
I think unless you execute a trappable instruction (e.g. priviledged, accesing unmapped memory, etc.), I'm not sure how the VMWare monitor would even find out what the program is doing. Since (I think) the PIII serial number instruction is unpriviledged, it might just give whatever your serial number is (if that's turned on).
Wait, Windows lets user programs modify the IDT? Does it stick it in the first 64k of memory, just like DOS, too? No wonder it crashes so much!
er something.
4 words. .. i'm happy.
PIII id number spoof..
I'm not afraid
McAfee virus scan detected it as CPU.Thief virus. Come on, this is going to be a threat if you have a decent virus scanner. It will only infect the brainless uses the don't use scanners.
Ask Symantec to remove zeroknowledge off of its virus list and ask them to add Intel instead. Who is the real stinkin' pest?
SIMD...
The little bit I read about the new P3 instructions seems like their vector math capability is much improved from p2.
Anyone played with the idea of a P3 -optimized RC5/DES cracker?
Anonymous Cowlings
--yeah@right.oj
I want antivirus software to complain about ANY program that does ANYTHING with the CPU ID. And then let me decide whether I want to let it stay on my system. I hope thunderbyte/shark http://www.thunderbyte.nl staff is reading slashdot. Anonymous Cowlings --yeah@right.oj
Put thunderbyte on all systems
www.thunderbyte.nl
Um, you know, virus... a program that actively tries to spread itself from one computer to another?
Trojan, perhaps. Virus, no.
Of course, the next step will be that Symantec detects Windows as a trojan. I mean, Windows crashes the user's machine, slows down the machine, changes things without telling the user (ever had your CMOS chip changed by Windows?), etc.
Symantec calls the ZKS demo an Trojan even though ZKS clearly explain what it is. There is no "hidden" behavour, it is explained on the ZKS's website.
This action by Symantec appears to be politically motivated due to partnerships(?) with Intel.
I guess Intel figures what's good for M$ is good for them.
Why acknowledge that there are gaping security holes when you can just convince everyone that its a virus? There's already a precedent...can you say Word Macro-Virus? Can you say ActiveX? Prople seem to think they're helpless in the face of a "virus" when they should be howling to get the security holes fixed.
Phew! *lights smoke* that rant felt good.
VENI! VIDI! VICI!
"Step 3--The user's computer downloads the ActiveX code and simulates a 'Blue Screen' crash, a [[generally benign event most users are familiar with]] and that would not necessarily arouse suspicions. The user's computer is rebooted at this point. Unknown to the user, the Active X control has placed on the computer a 'Trojan Horse' designed to bypass Intel® 's Pentium Serial Number control utility and place the user's Pentium® Serial Number in a cookie that can be read by Web sites on the Internet."
I find this rather funny. I guess those guys have never lost hours worth of new code or gameplay time when their windows machine locks mysteriously.
-- Too lazy to get a lower UID.
It's designed for computers that have an older BIOS which doesn't have the option to disable the CPU ID before boot.
--
Timur Tabi
Remove "nospam_" from email address
AMD is looking very nice...
I've recently Been looking for Components for a new SMP box I'm putting together. It seems that Intel is really pushing the PIII. A quick search on pricewatch shows that prices for the lower MHZ PIII's are in line with the Faster PII's.
I Chose the PII 450. I didn't want to bother with re-wiring and overclocking a Celeron300a.
I'm waiting to see what the K7 will be like....
Do not read this
This is rich:
Software virus not needed, Hardware virus built in!
What next?
Make sure the Pentium® III computer you own has a BIOS that allows you to turn off the serial number. There is currently no known way to read the serial number if you have disabled it in the BIOS.
Oh? I can see some bios flashing virus leave that claim to shame. Beware of sploits.
I never bought Intel's line that this has anything to do with security.
Personally, I think it has more to do with tracking stolen or overclocked chips. I'm pretty indifferent too all of it. Intel's only mistake seems to be to try to sell the public on this sort of thing. Especially for security purposes.
I wonder what it would take to 'emulate' a Pentium on a Pentium, and forge the ID?
It would become evident on one level or another I think when whatever Powers That Be started exploiting hidden chip id's for whatever nefarious purposes they have in mind. The minute they blast someone in court after tracking them down via the chip id, the cats will be out of the bag and on their way to Slashdot.
Reeeeowrl!
**>>BELCH
My question is this... would the anti-virus software detect the exploit if it were coded differently? I'm sure that the details of this will soon make their way to many cracker sites. What happens then? Do we hope that Norton and the other anti-virus people can keep up?
The stated goal of the PIII ID is for use in the consumer market as a unique identifyer for e-commerce. It has nothing to do with 'entering a high-end server market' or any inability to split the two. Clearly Intel is capable of setting up dual product lines for servers and consumers, witness the Celeron and PII.
The issue that everyone is uncomfortable with is the default settings for default users, people like your mom and dad who just want to run windows and forget about it, maybe buy a book off of amazon every so often.
If people can take advantage of these, the script kiddies and hAXors and the rest will take what they can. Yes, I can feel safe inside of my secure linux box, but I cannot bless or condone the threat that intel would like to pose to others who are not as fortunate as I...
It is not a fair compromise to disable the chips if you can't disable them in the first place. (I don't much think it's a good solution anyway, but if you do, they should still fulfill that obligation)
Check my Go-related blog for beginners: DGD
"...why should Windows/Intel users have to buy another piece of software to protect themselves from a potential security problem in the processsor? "
Uh, because they were unwise enough to buy the processor?
I see even classic Slashdot is now pretty much unusable on dial up anymore.
I wonder what the virtual cpu under VMware looks like to this ActiveX control? Anyone have the setup to test this?
Kindness is the language which the deaf can hear and the blind can see. - Mark Twain
If the anti-virus stuff is smart it will just check for an incosistant setting inthe IDenable bit and scream back to the user after fixing it. This could be done on boot and periodically while running....
You make some good points, and for the most part I agree with them. However, I don't think Intel's asking Symantec to include the exploit in their virus list is an attempt to undermine ZeroKnowledge, but rather is an attempt to protect the owners of PIIIs. There's no way to avoid someone malicious from using the exact same exploit to steal people's ID numbers. If the antivirus program can warn about it, then people won't get taken advantage of by sites whose purpose is not legitimate.
Of course, life would be much better for all involved if ActiveX were to die a quick death. Unfortunately, I don't see that happening anytime soon.
Dig a little digging on their page. Turns out this exploit:
a) crashes the user's machine b) installs code to bypass the PIII feature c) uses that to set a cookie and display it to other websites.
Intel may have been correct - this has all the earmarkings of a trojan.. and regardless of who publishes it, it still remains one. But it's still incredibly petty of them to have symantec put a patch out for *just* the zero knowledge program. A real solution would be to have symantec develop an algorithm to warn the user of *any* attempt to bypass the PIII control panel, not just zero knowledge's ones.
Sorry intel, close - but no cigar.
--
The reason I use an Intel P2 is for speed, fast fpu. As soon as AMD releases a fast FPU, I WILL switch to AMD.
Intel doesnt want my money, fine....
Power of choice.
Brook Harty
Okay, so, they run some native code that they
have to beg me to give permission to run
(ignoring the fact that if I were to give some
other ActiveX control the same permission it
could just read my registry, hard drive directory,
and install a keyboard monitor to catch my credit card numbers) which installs a program (I am assuming here) that will turn on my PIII serial number when I reboot..
Of course, if I had a PIII I would have the program that turns the serial number off in my bootup so that it was always turned off as my computer boots...
Sorry, just not very worried. The PIII serial number is pure, liquid evil, but this "exploit" is a joke.
Using ActiveX was a good way for them to make their point as MS is still the most popular OS/Browser for the average user.
I'm willing to bet that this could just as happily been done in assembler or C. (Admittedly, this would make it a pain to use over the Web, but Java may work just as well.)
-S"Q"K
I believe that "Windows Update" does exactly what you suggest.
--
Business. Numbers. Money. People. Computer World.
This has been out for almost 2 months now. It was on HNN back in March. Funny how the mainstream just got a hold of this...
What a ridiculous attitude. This exploit can not effect you unless you already are willing to download and execute (?!) foreign code. If you do those sorts of things, then nothing that Intel puts in their chips is going to lessen your privacy or security.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
All sorts of evil could be accomplished. Image: let's change that MOV instruction to...
I wonder on an (allegedly) dynamic chip like whatever is supposed to be coming out of Transmeta, how they are going to handle this issue?
-APWhat the hell? It's ok now for Intel to just declare things it doesn't like as viri and bully the Anti-Virus makers into doing their dirty work? Here you go DOJ, do your worst against this NOT so Phantom Menace. While I can appreciate INTEL's investment in Linux by working with RedHat and Cygnus, this goes to far. I'm not sure I want that kind of Dirty Money in our Community. I guess it's not a far away day when Intel will be telling us what's good for us by forceing SuSE & RedHat into stuff they don't want to do. I dunno, I call BullShit Intel, time for you to drink!
What a stupid company. I used to love intel. I love my PII 400, but I'd NEVER buy from them again!!! Why can't they just learn a lesson? I now send them about 20 e-mails a week on the subject but never get any reply. Perhaps that ex-intel employee was right? :-)
http://www.jonmasters.org/
For a company as powerful as they are, I was really impressed with Intel's behavior up until fairly recently (the last couple years.) It seems like they are really pushing the limits in the same way MS does (not that they are explicitly unethical but they dance close enough to the line that it makes you question it)
I can understand some things, they are being attacked by a lot of different companies on a lot of different levels but it's getting pretty bad. Semantic has no reason at all to list this program as a virus or a trojan, Intel needs to come up with a better scheme.
This is my signature. There are many signatures like it but this one is mine..
I think the zeroknowledge example code has
been around for a while now. The real news today centers around the discovery of Intel
getting the antivirus people to declare the
zeroknowledge stuff malicious.
-chris
Everyone stop using M$ and it sounds like a solution....ActiveX seems to do more harm than good.
One other thing:
If Intel really wanted to use the PIII for nefarious purposes, why would they go to all this trouble to stop someone using it for nefarious purposes?? I mean, I enjoy conspirary theories as much as the next person, but they are just a *game*.
Mike
jovoc wrote: "Uh.. it crashes the computer, but only with your consent. There are big bold letters warning you that this will happen if you press "ok". "
Yes; and if I copied the ActiveX control and put it on a webpage saying click here to see my comments on slashdot, then that would also crash your computer. There is a difference between the HTML and the ActiveX control. I'm assuming the Symantic/Intel and co aren't saying that visiting that webpage is bad, just that running that ActiveX control is bad. Good for them. It is bad. And if you want to ignore the warnings of an anti-virus program, go for it. But don't complain when something that you didn't want to happen happens.
jovoc wrote "Heh, under that definition, Windows itself is quite a virus. "
In case it wasn't clear, I meant intentionally crashes your computer. If a bug in the program causes the computer to crash, it's clearly not a virus.
Mike
I have to say, I fine all the disgust over Intel's PIII id somehow overstated in the linux community and these recent comments seem to be the worse.
:-)
Intel has asked that anti-virsus people list as a virus a program that *crashes the users computer without their consent*! What definition of virus are people using such that this doesn't qualify? Not only does it crash the user's computer, it reveals information that the user doesn't want revealed. If instead of revealing the PIII, this
program searched for Quicken documents and mailed them to a hotmail account, would be be saying that
whoever makes Quicken shouldn't call it a virus?
I agree that on general principle the PIII id isn't a wonderful idea, but I can understand why Intel did it. Most high-end computers (Sun, SGI, Alpha?, etc) ship with some sort of unique id, for licensing purposes. The only reason people don't get upset about that is that they are not person computers, but servers, so they cannot be linked to an identity. Intel wants to enter that market,
and CPU ids are needed. But they then anger the consumer market. What should they do? The road they took (disable to PIII id, unless you need it for a server) seems like a air compromise. Why is everyone so upset at them?
Finally, under an real operating system, this sort of exploit would be useless unless it was run as root. And if you go web browsing as root, you deserve what you get
Mike Sackton
Maybe there is no deliberate intent to discredit Zero Knowledge, but why should Windows/Intel users have to buy another piece of software to protect themselves from a potential security problem in the processor?
As a side note -- how long until someone comes up with a similar piece of code that IS malicious and is NOT publicly announced?
I see this as an unfortunate example of corporate cost/benefit analysis. It's too expensive to go back and fix the security problem or remove the ID altogether. Just declare the code which exploits it as potentially mailicous, then partner with a software company to develop protection against it. It's a win-win for everyone except the customer, who ends up gouged.
Everyone (including Intel, I'm sure) knows that the Right Thing is to fix the problem and release PIIIv2, but that's expensive and it's bad PR to admit a problem (everyone will want a free replacement).
Maybe my expectations are too high, but stuff like this makes the "Ralph Nader" in me a little angry.
Save the whales. Feed the hungry. Free the mallocs.
It is disturbing how some companies react to people who find flaws in their product.
:)
Remember the Internet Exploder control? It was an ActiveX component which, when loaded with a web page, would count down ten seconds and shut down a Windows computer. The creator did it for the sole purpose of demonstrating potential security dangers with ActiveX.
Microsoft and Verisign threatened the guy with court action for obtaining a Verisign certificate under false pretenses. Never mind that part of his demonstration was just how easy it is to obtain such a certificate.
Now Intel has declared Zero-Knowledge's little demo to be a virus or trojan. Apparently, the goal is to discredit them. The worst part is that I think just about everyone saw it coming before they even got to "Intel's response" part of the article.
Here's the obvious part of my comment -- this tactic is pretty foreign to the Free Software community. It seems that most security problems with Free operating systems are received with, "thank you," and then they are FIXED. If you actually write a program which demonstrates the problem, you're a hero. No one attacks your credibility or motives. In fact, you are likely to GAIN credibility.
Of course, by posting this here I'm pretty much preaching to the choir.
Save the whales. Feed the hungry. Free the mallocs.
Just to add/refute abit on the 'obvious part' of your comment. The tactic of hauling in a legal team is different than that taken in free software. However, there is a very split set in the security sector on the appropriate way to find and discuss bugs.
Almost monthly, you'll get flames start up Bugtraq about this. Bugtraq is a full disclosure unix security list - often, raw exploits are posted to it, or tools that someone used to replicate a problem they may have found in software (free or not). Very often, you'll have the author - a vendor, a coder, or a maintainer - or another person bitch about this, because they weren't given prior notice or warnings, etc. Example: The lsof bug of February ( thread starts here).
These threads sometimes, in fact, revolve around people posting for credit or ego/status. While Intel is acting very different, our free movement is not always the clean "thank you" we'd like. However, that's often justified - especially with free software, its better to come bearing patches rather than problems.
Of course, regardless, our bugs get fixed faster.
Actually, since word is really just a bloated virus breeding ground, I sudgest they list micorsoft word as a virus.
I have had to tell many many people, sorry, I can't help you recover your document. It was eaten by a word macro virus." At which point they leave the room crying because they spent the last 2 years writing that thesis. . . .
For those people out there without the honorable intent that Zer0Knowledge has, I think Nav popping up a warning when this type of control is a good thing. Last time I checked (which was a while ago...) I could copy X controls and use them on my site.
RB
as if i was not easy enough to identify as some insane /.er you can say hi to my office too. now won't my boss be happy about the security breach?! this will prevent several banks from doing online banking for a good while once the top brass find out about it. so much for e comerce. stuff like that is what keep a lot of companies off of the internet in the first place. if intel really wanted to sell the idea of the internet and their chips as business sales tools then the really should take a few clues from the financial world and do their damnedest to keep security and privacy specs up to date.
you know, that is just all i need.. as if it was not easy enough to spot a red dress and lapel pin insignia..
if you don't look at the fnords, they won't eat you.
"Alt-F4 that's for quitting" quoth Dan_Wood
Symantec declares this as a Trojan. It doesnt harm anything. This is just abuse of power by Symantec and Intel.
Isn't is easier to get to ring0 the CIH way (modify IDT, generate exception)? I guess ;-)
you wouldn't have to reboot that way (I can't test it
This may have been touched upon...
Rather than grabbing the ID for later cookie retrieval, what about going through the registry and checking/verifying all M$ (or other vendor) software is valid? How many Win 9x installs are on the desktop (in businesses) that are copies from a single license? A lot, I'll wager!
The one true solution to this is to dump Windoze, and move to real OS - one that you can secure.
I do like the idea that the exploit used TBSOD as a means of diverting attention - think of all fun this could open up!
Reason is the Path to God - Anon
This is why my next computer will not have an Intel processor.... (at least not one with this ID stuff....)
Instead it'll be an AMD K7 (or an Alpha... if I can afford it...)
Go AMD!
/Droid