Re: Rut roh Raggy: Exploit code targeting major Intel chip flaw to be posted 3/19/09
On Thu, Mar 19, 2009 at 11:05 AM, Micheal Espinola Jr michealespin...@gmail.com wrote: http://www.networkworld.com/community/node/39825?netht=rn_031809nladname=031809 Details are rather sketchy, but it does sound ominous. This caught my eye: ... privilege escalation from Ring 0 to the SMM ... Sounds like yet another reason to run as an regular user, not with administrator rights. (Ring 0 being supervisor mode on i386; Ring 3 is user mode, IIRC.) -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Rut roh Raggy: Exploit code targeting major Intel chip flaw to be posted 3/19/09
The article said this exploit is OS-independent, though, if I read it right. So regular user vs. admin wouldn't make a difference. Or am I totally confused? John Hornbuckle MIS Department Taylor County School District 318 North Clark Street Perry, FL 32347 www.taylor.k12.fl.us -Original Message- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Thursday, March 19, 2009 11:17 AM To: NT System Admin Issues Subject: Re: Rut roh Raggy: Exploit code targeting major Intel chip flaw to be posted 3/19/09 On Thu, Mar 19, 2009 at 11:05 AM, Micheal Espinola Jr michealespin...@gmail.com wrote: http://www.networkworld.com/community/node/39825?netht=rn_031809nladname=031809 Details are rather sketchy, but it does sound ominous. This caught my eye: ... privilege escalation from Ring 0 to the SMM ... Sounds like yet another reason to run as an regular user, not with administrator rights. (Ring 0 being supervisor mode on i386; Ring 3 is user mode, IIRC.) -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Rut roh Raggy: Exploit code targeting major Intel chip flaw to be posted 3/19/09
That's how I interpreted it as well, but I dont know anything about SMM. -- ME2 On Thu, Mar 19, 2009 at 12:31 PM, John Hornbuckle john.hornbuc...@taylor.k12.fl.us wrote: The article said this exploit is OS-independent, though, if I read it right. So regular user vs. admin wouldn't make a difference. Or am I totally confused? John Hornbuckle MIS Department Taylor County School District 318 North Clark Street Perry, FL 32347 www.taylor.k12.fl.us -Original Message- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Thursday, March 19, 2009 11:17 AM To: NT System Admin Issues Subject: Re: Rut roh Raggy: Exploit code targeting major Intel chip flaw to be posted 3/19/09 On Thu, Mar 19, 2009 at 11:05 AM, Micheal Espinola Jr michealespin...@gmail.com wrote: http://www.networkworld.com/community/node/39825?netht=rn_031809nladname=031809 Details are rather sketchy, but it does sound ominous. This caught my eye: ... privilege escalation from Ring 0 to the SMM ... Sounds like yet another reason to run as an regular user, not with administrator rights. (Ring 0 being supervisor mode on i386; Ring 3 is user mode, IIRC.) -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Rut roh Raggy: Exploit code targeting major Intel chip flaw to be posted 3/19/09
The article stated the security people find them and notify intel, but if intel doesn't act, then they (security people) notify the public. Now, here's my question, if there is a vulnerability as stated, how do you or should I say does intel go about resolving the issue? Do they fix it at the plant then send out a ridiculous amount of chips? As you said Michael, what is a SMM?! This is a whole new arena and I don't think I was even provide a preview ticket J From: Micheal Espinola Jr [mailto:michealespin...@gmail.com] Sent: Thursday, March 19, 2009 11:33 AM To: NT System Admin Issues Subject: Re: Rut roh Raggy: Exploit code targeting major Intel chip flaw to be posted 3/19/09 That's how I interpreted it as well, but I dont know anything about SMM. -- ME2 On Thu, Mar 19, 2009 at 12:31 PM, John Hornbuckle john.hornbuc...@taylor.k12.fl.us wrote: The article said this exploit is OS-independent, though, if I read it right. So regular user vs. admin wouldn't make a difference. Or am I totally confused? John Hornbuckle MIS Department Taylor County School District 318 North Clark Street Perry, FL 32347 www.taylor.k12.fl.us http://www.taylor.k12.fl.us/ -Original Message- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Thursday, March 19, 2009 11:17 AM To: NT System Admin Issues Subject: Re: Rut roh Raggy: Exploit code targeting major Intel chip flaw to be posted 3/19/09 On Thu, Mar 19, 2009 at 11:05 AM, Micheal Espinola Jr michealespin...@gmail.com wrote: http://www.networkworld.com/community/node/39825?netht=rn_031809nladnam e=031809 Details are rather sketchy, but it does sound ominous. This caught my eye: ... privilege escalation from Ring 0 to the SMM ... Sounds like yet another reason to run as an regular user, not with administrator rights. (Ring 0 being supervisor mode on i386; Ring 3 is user mode, IIRC.) -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ This email and any attached files are confidential and intended solely for the intended recipient(s). If you are not the named recipient you should not read, distribute, copy or alter this email. Any views or opinions expressed in this email are those of the author and do not represent those of the Girl Scouts of Southwest Texas company. Warning: Although precautions have been taken to make sure no viruses are present in this email, the company cannot accept responsibility for any loss or damage that arise from the use of this email or attachments. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Rut roh Raggy: Exploit code targeting major Intel chip flaw to be posted 3/19/09
Ever since the PIII Intel has included a microcode update mechanism. Not all processor errata are fixable though, and the microcode update needs to be applied on every boot. Microsoft has use it in the past to fix CPU specific reliability problems: http://support.microsoft.com/kb/936357 Thomas Gonzalez wrote: Do they fix it at the plant then send out a ridiculous amount of chips? -- Phil Brutsche p...@optimumdata.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Rut roh Raggy: Exploit code targeting major Intel chip flaw to be posted 3/19/09
Apparently at least one of these SMM rootkits has been around since May of last year: Hackers Find a New Place to Hide Rootkits http://www.pcworld.com/businesscenter/article/145703/hackers_find_a_new_pl ace_t o_hide_rootkits.html or here if the above wraps unusably: http://preview.tinyurl.com/4vfsce Scary stuff, since (a) it's at the hardware level; (b) it has been discussed publically by Intel in employee papers; (c) a PoC rootkit has been out for almost a year. Since it's at the hardware level, even booting off a cleanup CD won't be able to find it ... -- Angus Scott-Fleming GeoApps, Tucson, Arizona 1-520-290-5038 +---+ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Rut roh Raggy: Exploit code targeting major Intel chip flaw to be posted 3/19/09
Are you suggesting that such a thing could survive a cold boot? The rootkit has to be stored somewhere it can execute from, and I don't think it'll have much success storing itself in the BIOS. Angus Scott-Fleming wrote: Since it's at the hardware level, even booting off a cleanup CD won't be able to find it ... -- Phil Brutsche p...@optimumdata.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Rut roh Raggy: Exploit code targeting major Intel chip flaw to be posted 3/19/09
Ben Scott wrote: Sounds like yet another reason to run as an regular user, not with administrator rights. (Ring 0 being supervisor mode on i386; Ring 3 is user mode, IIRC.) In this case ring 0 is the kernel. All user level processes - regardless of whether the user is root or Administrator or john.smith - run in ring 3. From the CPU perspective administrative vs non-administrative processes are indistinguishable as they are an OS-specific construct. Based on the 4th paragraph in the article, it looks like it would primarily afflict CPUs that have hardware virtualization support (and said support turned on). One hypothetical exploit would be to bypass the hypervisor of, say, ESX and break out of the guest OS and take over the physical machine. -- Phil Brutsche p...@optimumdata.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Rut roh Raggy: Exploit code targeting major Intel chip flaw to be posted 3/19/09
On Thu, Mar 19, 2009 at 1:41 PM, Phil Brutsche p...@optimumdata.com wrote: In this case ring 0 is the kernel. All user level processes - regardless of whether the user is root or Administrator or john.smith - run in ring 3. Right, but administrators can do things like inject kernel code. Users can't. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Rut roh Raggy: Exploit code targeting major Intel chip flaw to be posted 3/19/09
Can you say Blue Pill??? John W. Cook Systems Administrator Partnership For Strong Families 315 SE 2nd Ave Gainesville, Fl 32601 Office (352) 393-2741 x320 Cell (352) 215-6944 Fax (352) 393-2746 MCSE, MCTS, MCP+I,CompTIA A+, N+ -Original Message- From: Phil Brutsche [mailto:p...@optimumdata.com] Sent: Thursday, March 19, 2009 1:41 PM To: NT System Admin Issues Subject: Re: Rut roh Raggy: Exploit code targeting major Intel chip flaw to be posted 3/19/09 Ben Scott wrote: Sounds like yet another reason to run as an regular user, not with administrator rights. (Ring 0 being supervisor mode on i386; Ring 3 is user mode, IIRC.) In this case ring 0 is the kernel. All user level processes - regardless of whether the user is root or Administrator or john.smith - run in ring 3. From the CPU perspective administrative vs non-administrative processes are indistinguishable as they are an OS-specific construct. Based on the 4th paragraph in the article, it looks like it would primarily afflict CPUs that have hardware virtualization support (and said support turned on). One hypothetical exploit would be to bypass the hypervisor of, say, ESX and break out of the guest OS and take over the physical machine. -- Phil Brutsche p...@optimumdata.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ CONFIDENTIALITY STATEMENT: The information transmitted, or contained or attached to or with this Notice is intended only for the person or entity to which it is addressed and may contain Protected Health Information (PHI), confidential and/or privileged material. Any review, transmission, dissemination, or other use of, and taking any action in reliance upon this information by persons or entities other than the intended recipient without the express written consent of the sender are prohibited. This information may be protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other Federal and Florida laws. Improper or unauthorized use or disclosure of this information could result in civil and/or criminal penalties. Consider the environment. Please don't print this e-mail unless you really need to. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Rut roh Raggy: Exploit code targeting major Intel chip flaw to be posted 3/19/09
http://en.wikipedia.org/wiki/System_Management_Mode Gene Giannamore Abide International Inc. Technical Support 561 1st Street West Sonoma,Ca.95476 (707) 935-1577 Office (707) 935-9387 Fax (707) 766-4185 Cell gene.giannam...@abideinternational.com -Original Message- From: Phil Brutsche [mailto:p...@optimumdata.com] Sent: Thursday, March 19, 2009 10:41 AM To: NT System Admin Issues Subject: Re: Rut roh Raggy: Exploit code targeting major Intel chip flaw to be posted 3/19/09 Are you suggesting that such a thing could survive a cold boot? The rootkit has to be stored somewhere it can execute from, and I don't think it'll have much success storing itself in the BIOS. Angus Scott-Fleming wrote: Since it's at the hardware level, even booting off a cleanup CD won't be able to find it ... -- Phil Brutsche p...@optimumdata.com ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~