Christopher Domas reveals a x86 flaw at the Black Hat security conference which can open doors to rootkits

Saw this while reading the AusNOG mailing list

Design flaw in Intel chips opens door to rootkits

[quote]The vulnerability was introduced in 1997, but has remained hidden until now, researcher says.

By leveraging the flaw, attackers could install a rootkit in the
processors System Management Mode (SMM), a protected region of code that
underpins all the firmware security features in modern computers.

To exploit the vulnerability and install the rootkit, attackers would
need to already have kernel or system privileges on a computer. That
means the flaw cant be used by itself to compromise a system, but could
make an existing malware infection highly persistent and completely
invisible.[/quote]

While it maybe difficult to exploit on the average computer, it seems to be possible. Requires a system to be infected with privileges.

1 Like

System level privileges are highly likely in successful hack & malware attacks.

Yes, but the system has to be infected. The difficult step in the exploit.

The difficulty depends on the system and the user.

It is possibly one of the more worrying exploits. The article mentions that the latest processors have been “fixed” and the processors that can have their firmware updated are being updated.

2 Likes

But it isn’t that difficult a step to infect a system these days. The are thousands of ways, and millions of attackers from individuals through to organised crime and nation states doing so on an industrial scale every day.

The chances of being attacked are extremely high, and while not every attack will succeed, it only takes a small proportion that build up over time to cause havoc. And once a system is taken over, it provides further opportunities etc.

I imagine that right now, black hats of all flavours, are simply overwhelmed with the opportunities, and the amount of stolen information they are gathering.

Few will be using exploits anywhere near this level of ingenuity yet, because they don’t need to. So I’m not saying this exploit is likely to be much in use yet - though is likely some will have it in their armory - I’m saying that it’s not hard for it to be used. Because needing system level privileges through a preceding infection is little barrier in the current environment.

SAFE Network will improve this part of the problem enormously.

3 Likes

Since when infecting a computer is a challenge? Lol
Secondly, since when escalating privileges is a problem lol

1 Like

This is exactly what people feared the SMM could do. “Bug” or feature.