Why agro the OS when you can pwn the hardware?
While most of the vulnerability alerts I see are XSS and SQL injection, there are some really nasty low level attacks coming out.
I’ve posted about Blue Pill and subverting virtual infrastructures.
Kris Kaspersky of Kaspersky Labs has uncovered flaws in certain Intel chips that can allow remote attackers to execute arbitrary instructions. (Read: Remote code execution through Intel CPU bugs)
Now, let’s think about this a sec. The flaw is in the CPU, not the OS.
It doesn’t matter what OS, how hardened it is, or nuthin’.
If you can get your attack instructions to the CPU, the processor will happily run them.
Pwnage at the lowest level.
Intel has reportedly fixed the remotely exploitable bugs (it will not fix the non-remotely exploited bugs):
Researcher: Intel fixed two critical flaws in its chips
Intel proactively fixes security flaws in its chips
But what does a processor patch look like? Can you say firmware update?
That’s my speculation.
How many people are going to run out and patch their CPU firmware?
I don’t think there is an “automatic update” for my CPU… lol.
In any event, it will be interesting to watch this story.
Bill