On GameSpot: 22 of the scariest games out there
BNET Business Network:
BNET
TechRepublic
ZDNet

August 27th, 2008

Intel ships BIOS fix for Rutkowska’s Black Hat flaw

Posted by Ryan Naraine @ 8:52 am

Categories: Patch Watch, Hackers, Rootkits, Responsible disclosure, Exploit code, Data theft, Pen testing, Arbitrary Code Execution, Kernel-level Exploits, Complex Attacks, Anti Virus, Malware

Tags: Black Hat, Hypervisor, Motherboard, BIOS Update, Intel Corp., Flaw, System Management Mode, Level Privilege, BIOS, Virtualization

Intel ships BIOS fix for Rutkowska’s Black Hat flawIntel has shipped a BIOS update with a fix for a privilege escalation vulnerability that was used by rootkit researcher Joanna Rutkowska to bluepill the Xen hypervisor.

The vulnerability was discussed by Rutkowska at the Black Hat briefings earlier this month but details on the exploit were withheld until Intel could release its patch.

That patch is now available (you can download a new firmware for your motherboard here) with a severity rating of “important.”

According to Intel’s advisory,  software running administrative (ring 0) privilege can under certain circumstances change code running in System Management Mode.

  • A new BIOS update is available for select Intel desktop motherboards to ensure proper configuration settings. This change would prevent a malicious user from modifying software that is run in System Management Mode (SMM). SMM is a privileged operating environment running outside of OS control. Malicious software running in this environment could therefore perform any number of operations. Administrative level privileges are required to exploit this issue. BIOS updates to correct this issue are available for all affected Intel branded motherboards.

In a blog entry following Intel’s patch release, Rutkowska warns that an attacker could also use this bug to “directly modify the hypervisor memory, without jumping into the SMM first, just as we did it with our exploit.”

  • Also, in case of e.g. Linux systems, the Ring 0 access is not strictly required to perform the attack, as it’s just enough for the attacker to get access to the PCI config space of the device 0:0:0, which e.g. on Linux can be granted to usermode applications via the iopl() system call.

Affected Intel motherboards: DQ35JO, DQ35MP, DP35DP, DG33FB, DG33BU, DG33TL, DX38BT and MGM965TW (Mobile).

In its advisory, Intel provides a step-by-step walk-through to help identify systems at risk and detailed  instructions on updating your BIOS.

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the world. See his full profile and disclosure of his industry affiliations.

Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

  • Talkback
  • Most Recent of 3 Talkback(s)
I'd go with 0.9
Considering it's a hardware thing. (Read the rest)
Posted by: seanferd Posted on: 08/28/08 You are currently: Logged In | Log out
Does it affect Windows98? deckhopper@...   | 08/27/08
Mike Cox was better nucrash   | 08/28/08
I'd go with 0.9 seanferd   | 08/28/08

What do you think?

No Trackbacks Yet

The URI to TrackBack this entry is:
http://blogs.zdnet.com/security/wp-trackback.php?p=1812

Essential Topics Click Here

advertisement

Recent Entries

advertisement

Archives

ZDNet Blogs

All-in-One Printers

advertisement
Click Here