On UrbanBaby: I won't vaccinate my daughter!
BNET Business Network:
BNET
TechRepublic
ZDNet

August 27th, 2008

Intel ships BIOS fix for Rutkowska's Black Hat flaw

Posted by Ryan Naraine @ 8:52 am

Categories: Anti Virus, Arbitrary Code Execution, Complex Attacks, Data theft, Exploit code, Hackers, Kernel-level Exploits, Malware, Patch Watch, Pen testing, Responsible disclosure, Rootkits

Tags: Black Hat, Hypervisor, Motherboard, BIOS Update, Intel Corp., Flaw, System Management Mode, Level Privilege, BIOS, Virtualization

Intel ships BIOS fix for Rutkowska’s Black Hat flawIntel has shipped a BIOS update with a fix for a privilege escalation vulnerability that was used by rootkit researcher Joanna Rutkowska to bluepill the Xen hypervisor.

The vulnerability was discussed by Rutkowska at the Black Hat briefings earlier this month but details on the exploit were withheld until Intel could release its patch.

That patch is now available (you can download a new firmware for your motherboard here) with a severity rating of “important.”

According to Intel’s advisory,  software running administrative (ring 0) privilege can under certain circumstances change code running in System Management Mode.

  • A new BIOS update is available for select Intel desktop motherboards to ensure proper configuration settings. This change would prevent a malicious user from modifying software that is run in System Management Mode (SMM). SMM is a privileged operating environment running outside of OS control. Malicious software running in this environment could therefore perform any number of operations. Administrative level privileges are required to exploit this issue. BIOS updates to correct this issue are available for all affected Intel branded motherboards.

In a blog entry following Intel’s patch release, Rutkowska warns that an attacker could also use this bug to “directly modify the hypervisor memory, without jumping into the SMM first, just as we did it with our exploit.”

  • Also, in case of e.g. Linux systems, the Ring 0 access is not strictly required to perform the attack, as it’s just enough for the attacker to get access to the PCI config space of the device 0:0:0, which e.g. on Linux can be granted to usermode applications via the iopl() system call.

Affected Intel motherboards: DQ35JO, DQ35MP, DP35DP, DG33FB, DG33BU, DG33TL, DX38BT and MGM965TW (Mobile).

In its advisory, Intel provides a step-by-step walk-through to help identify systems at risk and detailed  instructions on updating your BIOS.

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 3 Talkback(s)
I'd go with 0.9
Considering it's a hardware thing. (Read the rest)
Posted by: seanferd Posted on: 08/28/08 You are currently: a Guest | | Terms of Use
Does it affect Windows98?  deckhopper@... | 08/27/08
Mike Cox was better  nucrash | 08/28/08
I'd go with 0.9  seanferd | 08/28/08

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Essential Topics Click Here

advertisement

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

  • Thought-provoking progressive ideas on diverse topics that intersect with technology, business, and life, and matter to the world at large. Visit SmartPlanet
  • More from IBM
  • Innovate your business' process model, play against the market, compete against others on our scoreboards and WIN! Try INNOV8 2.0: A BPM Simulator
  • Enabling Real-World Business Transformation through IBM Service Management Read the EMA Analyst Report
Click Here