Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

Wintel Flaw Remained Unpatched For Six Years
eSecurity Planet ^ | 25 July 2012 | Sean Michael Kerner

Posted on 07/26/2012 5:38:40 AM PDT by ShadowAce

Unknown to tens of millions of users, a hidden security vulnerability has been lurking on many Intel-based Windows PCs for the past six years.

The vulnerability was found by researcher Rafal Wojtczuk from security firm Bromium. Wojtczuk announced his findings at the Black Hat security conference here in Las Vegas. According to Wojtczuk, the vulnerability he re-discovered was actually first exposed and patched six years ago, albeit only on Linux systems.

The vulnerability involves the unsafe use of an Intel CPU instruction called 'sysret'. The risk is that if left unpatched, an attacker could have executed a user-to-kernel privilege escalation attack. In such an attack, the attacker could potential get system access and then execute arbitrary code.

In an interview with eSecurity Planet, Wojtczuk noted that only Intel 64-bit chips are at risk and not chips from AMD. He explained that when Intel was implementing the 64 bit specification they made a slight, subtle change in the semantics.

"Intel's position is that there is no bug on their side," Wojtczuk said. "The semantics are very explicitly documented in their manuals and it behaves as documented. However the semantics of the instructions are counter-intuitive."

The fix first landed in the Linux kernel in 2006 and has remained in place ever since, but only on Linux. For users of Windows 7 as well as the open source FreeBSD and NetBSD operating system, it's another story. Up until six weeks ago, those operating systems were all at risk from the flaw that Linux patched six year ago. Wojtczuk noted that on June 12th all of the affected vendors patched their respective operating systems for the Intel privilege escalation flaw.

While the flaw has been present for six years, it's not clear if it was every actively exploited. Wojtczuk noted that after the June fix, at least one penetration testing framework now has a working exploit for the Intel flaw.

Additional Undetected Flaws?

While the Intel flaw that Wojtczuk is discussing at Black Hat has now been fixed, he warned that there are likely other such issues lurking inside operating systems today.

"I'm pretty sure that there are many more similar issues in mainline operating systems that can be found and are not yet patched," Wojtczuk said.

From Wojtczuk's point of view, the state of modern operating system security is not really satisfactory.

"Just look through the history of Microsoft advisories for privilege escalation attacks," Wojtczuk said. "They are getting more and more frequent and I'm pretty sure there are lots more of them out there, waiting to be discovered."

Some vendors attempt to limit the risk of privilege escalation attacks by way of application sandboxing. With the sandbox approach, an application and its privileges are restricted for use within a certain area on an operating system's memory surface. But Wojtczuk isn't enthusiastic about that approach.

"In the majority of sandbox cases, they still rely on enforcement provided by the operating system," Wojtczuk said. "That's the crucial weakness in the concept of the sandbox, so if there is a flaw in the operating system, the sandbox can potentially be bypassed."

Wojtczuk's research that led to the re-discovery of the Intel flaw wasn't just done as hobby. Wojtczuk works for Bromium, a company founded by virtualization pioneers from Xen that has an alternative solution to traditional sandboxing. Bromium is advocating a "secure by design" approach in which there is a security boundary that is not secured by the operating system. So even if an operating system vulnerability is found, the security that Bromium aims to guarantee will still hold.

"We don't trust the OS," Wojtczuk said. "We put sandboxes around the whole OS."


TOPICS: Computers/Internet
KEYWORDS: bsd; linux; wintel

1 posted on 07/26/2012 5:38:48 AM PDT by ShadowAce
[ Post Reply | Private Reply | View Replies]

To: rdb3; Calvinist_Dark_Lord; Salo; JosephW; Only1choice____Freedom; amigatec; stylin_geek; ...

2 posted on 07/26/2012 5:39:56 AM PDT by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 1 | View Replies]

Comment #3 Removed by Moderator

To: ShadowAce
thxs, for the post. :-)

4 posted on 07/26/2012 5:43:37 AM PDT by skinkinthegrass (WA DC E$tabli$hment; DNC/RNC/Unionists...Brazilian saying: "$@me Old $hit; different flie$". :^)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

The Chinese Army uses Linux. I wonder why it has not been fixed.


5 posted on 07/26/2012 5:47:34 AM PDT by bmwcyle (Corollary - Electing the same person over and over and expecting a different outcome is insanity)
[ Post Reply | Private Reply | To 1 | View Replies]

To: bmwcyle

You wonder why what hasn’t been fixed?


6 posted on 07/26/2012 5:49:09 AM PDT by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 5 | View Replies]

To: ShadowAce

I thought WIN’s “flaws” and “bugs” were ***features***? LOL.


7 posted on 07/26/2012 5:55:05 AM PDT by carriage_hill (All libs and most dems think that life is just a sponge bath, with a happy ending.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: bmwcyle
Post (without reading the article) and run?

There's a reason why the US Army, Navy, DOE, countless universities, and private companies use Linux.

8 posted on 07/26/2012 6:03:29 AM PDT by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 5 | View Replies]

To: ShadowAce

In other news, the sky is blue and the sun rises in the east.


9 posted on 07/26/2012 6:08:45 AM PDT by hopespringseternal
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

Not familiar with the specifics of the code, but possible motive is built-in back door for “certain agencies” to have access.

If it only affects 64 bit systems it does not sound too serious to most users.

I started using Linux OS’s before 1995.


10 posted on 07/26/2012 6:10:59 AM PDT by Texas Fossil (Government, even in its best state is but a necessary evil; in its worst state an intolerable one)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce
There was some discussion about this a couple of weeks ago. I think you pinged it, but I don't recall specifically.

 Wojtczuk announced his findings at the Black Hat security conference here in Las Vegas. According to Wojtczuk, the vulnerability he re-discovered was actually first exposed and patched six years ago, albeit only on Linux systems.

Gotta love this. The only safe OS in this case, is Linux.

11 posted on 07/26/2012 8:19:06 AM PDT by zeugma (Those of us who work for a living are outnumbered by those who vote for a living.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce
Big Woop!

Run a credentialed vulnerability scan, please, on a Wintel server and the scan will identify a number of High Risk vulnerabilities that have no remediation or fixes available.

Unpatchable High Risk vulnerabilities are business as usual for Wintel.

12 posted on 07/26/2012 8:34:03 AM PDT by ethel rascel (Lurk Mostly)
[ Post Reply | Private Reply | To 1 | View Replies]

To: ShadowAce

Why does the title say WINTEL? It appears to be exclusively Intel and not associated with Windows. Did I miss something?


13 posted on 07/26/2012 9:13:16 AM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 1 | View Replies]

To: for-q-clinton
Did I miss something?

Yes. From the article:
The fix first landed in the Linux kernel in 2006 and has remained in place ever since, but only on Linux.

14 posted on 07/26/2012 9:36:23 AM PDT by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 13 | View Replies]

To: ShadowAce

So 64 bit Macs weren’t impacted either? Or other non-Linux OS’s running on intel?


15 posted on 07/26/2012 12:56:39 PM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 14 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson