A pair of security researchers has released a paper and proof-of-concept code detailing a security vulnerability in Intel's processors. In their words, the vulnerability allows the use of CPU cache poisoning to "read or write into (otherwise protected) SMRAM memory."
SMRAM means System Management Mode memory, and according to NetworkWorld blogger Jamey Heary, a rootkit running there would be incredibly difficult to detect. Naturally, such a rootkit could also conceal any number of trojans, viruses, and miscellaneous malware apps running on an infected system. Here's a snip from Heary's blog post:
The heart-stopping thing about this particular exploit is that it hides itself in the SMM space. To put that into perspective, SMM is more privileged than a hypervisor is and it's not controllable by any Operating System. By design, the operating system cannot override or disable System Management Interupt (SMI) calls. In practice, the only way for you to know what is running in SMM space is to physically disassemble the firmware of your computer. So, given that an SMI takes precedence over any OS call, the OS cannot control or read SMM, and the only way to read SMM is to disassemble the system makes an SMM rootkit incredibly stealthy!
So, why release details about the vulnerability publicly instead of working quietly with Intel? Well, paper co-author Joanna Rutkowska says she and fellow researchers have already notified Intel. She also explains in another post on the Invisible Things Lab blog:
Interestingly, however, none of us was even close to being the first discoverer of the underlying problem that our attacks exploit. In fact, the first mention of the possible attack using caching for compromising SMM has been discussed in certain documents authored as early as the end of 2005 (!) by nobody else than... Intel's own employees.
Rutkowska believes someone else would surely discover and exploit the flaw if it remains unpatched, so going public and forcing Intel's hands is a good thing. Oh, and the proof-of-concept code isn't a ready-made rootkit—it's "totally harmless," she claims.
|1. Ryszard - $603||2. Hdfisise - $600||3. Andrew Lauritzen - $502|
|4. the - $306||5. SomeOtherGeek - $300||6. Ryu Connor - $250|
|7. Anonymous Gerbil - $150||8. dashbarron - $150||9. webkido13 - $135|
|10. cygnus1 - $126|
|Wanted for review: AMD's Radeon R9 Nano||63|
|ZenWatch 2 runs Android Wear Asus-style||3|
|Asus previews ROG Swift PG348Q and PG279Q G-Sync monitors||10|
|MSI's Z170A Gaming M5 motherboard reviewed||3|
|Qualcomm debuts Kryo custom CPU for the Snapdragon 820||19|
|MSI's H170 and B150 mobos bring Skylake to the gaming masses||1|
|Phone screens make the leap to 4K with Sony's Xperia Z5 Premium||22|
|Acer Predator laptops stay cool under fire with Skylake||28|
|Satellite Radius 12 notebook packs a color-correct 4K screen||3|