X

Intel chip flaw--but what of it?

Researchers warn of a flaw that could spur "CPU cache poisoning." For the moment, though, the danger remains strictly theoretical.

Brooke Crothers Former CNET contributor
Brooke Crothers writes about mobile computer systems, including laptops, tablets, smartphones: how they define the computing experience and the hardware that makes them tick. He has served as an editor at large at CNET News and a contributing reporter to The New York Times' Bits and Technology sections. His interest in things small began when living in Tokyo in a very small apartment for a very long time.
See full bio
Brooke Crothers
4 min read

Some researchers claim that Intel has a serious chip bug on its hands. But that all depends.

Security experts who are into the arcana of chip security may find "CPU cache poisoning" riveting and serious stuff. Others, however, may simply scratch their heads and move on.

But let's not move on too quickly. First, a quote from an abstract of the paper (PDF) that has some of the chip world abuzz. "In this paper we have described practical exploitation of the CPU cache poisoning...This is the third attack on SMM (system management mode) memory our team has found within the last 10 months, affecting Intel-based systems. It seems that the current state of firmware security, even in case of such reputable vendors as Intel, is quite unsatisfying."

Joanna Rutkowska, who exposed the potential of the so-called Blue Pill flaw in August 2006 and who founded Invisible Things Lab, wrote that excerpt (along with colleague Rafal Wojtczuk) and obviously takes this very seriously.

As do others. Not worried yet? "This is the scariest, stealthiest, and most dangerous exploit I've seen come around since the legendary Blue Pill!," writes Jamey Heary in a Network World blog. He is a consulting systems engineer for Cisco Systems.

So now that we know it's scary, what could happen in a worst-case scenario? Suffice to say that gaining access to "privileged" SMM memory would essentially allow hackers to do anything to the target PC that they want. The question is, would they actually take advantage of this particular opening?

"If a hacker can use this new exploit to embed a SMM rootkit (malware) they would have ultimate control over the box (computer). Additionally, it would be virtually undetectable," Heary wrote in response to an e-mail query. But he also added: "In a nutshell. This exploit is very serious and needs to fixed. But...I don't see a mass virus or worm using this. The attacks will be targeted. A rootkit must be perfectly matched to the hardware. This makes mass infection more difficult."

Rutkowska and Wojtczuk, in the abstract, say that the paper discusses "how to practically exploit this problem, showing working proof of concept codes that allow for arbitrary SMM code execution. This allows for various kind of abuses of the super-privileged SMM mode, e.g. via SMM rootkits."

Who can do this? "We assume that the attacker has (what is in practice)...equivalent to administrator privileges on the target system, and on some systems, e.g. Windows, also the ability to load and execute arbitrary kernel code," write Rutkowska and Wojtczuk.

And what systems are potentially vulnerable? Though both Intel and Rutkowska say the "attack" presented in the paper has been fixed on some systems, Rutkowska goes on to say: "We have however found out that even the relatively new boards, e.g. Intel DQ35 are still vulnerable (the very recent Intel DQ45 doesn't seem to be vulnerable though). The exploit attached is for DQ35 board--the offsets would have to be changed to work on other boards (please do not ask how to do this)." (Here is a list of Intel motherboards she refers to.)

These motherboards are used with Core 2 Quad, Core 2 Duo, Pentium, and Celeron processors, according to Intel's Web site.

Intel has addressed the matter this way: "We are working with these researchers. We take this research and all reports seriously. Currently as far as we know, there are no known exploits in the wild," Intel spokesman George Alfs said in a written statement.

One point worth noting is that this is not an Intel errata per se, which Intel typically details in processor specification updates. This is a theoretical attack from a malicious hacker. Nevertheless, users can minimize the risk by keeping up-to-date on patches and on operating system and security suite updates. Particularly important are BIOS (basic input/output system) and firmware updates for the processors and motherboards referenced above.

So, what is the average user to make of all of this? Security attacks and security vulnerabilities have been around since (computer) time immemorial (in the relatively brief history of mass-market computing). A report from U.K.-based technology Web site The Register in 2006, for example, suggested that people should not purchase Core 2 Duo systems--now widespread worldwide--because of security vulnerabilities and cited an open-source expert, who prophesied doom and gloom for the Core 2 Duo architecture.

Then there's the whopper of them all--and a flaw very different in nature from the SMM vulnerability discussed above--the show-stopping 1994 Intel FDIV bug, discovered by Professor Thomas Nicely, then at Lynchburg College in Virginia. Also referred to as the floating-point bug, it wasn't a flaw exploitable by malicious hackers; rather, it was a bug in Intel's original Pentium floating-point unit. Certain arcane floating-point division operations done on these processors would generate incorrect results.

This bug, covered prominently by The New York Times and CNN at the time, actually had virtually no affect on users, except causing them to panic and, as a consequence, some insisted that Intel provide them with new processors. The recall cost Intel close to a half-billion dollars.