'Misunderstanding' causes serious vulnerability in every OS

Almost every modern operating system contains a vulnerability caused by developers misunderstanding how Intel and AMD processors handle low-level instructions, which can be exploited to crash computers or to read sensitive data in memory.

The flaw was documented [pdf] by researchers Nick Peterson and Nemanja Mulasmajic and security vendor Everdox, with help from Linux kernel developer Andy Lutomirski and the Xen hypervisor project's Andrew Cooper.

It involves the assembly code POP SS and MOV SS instructions being executed, followed immediately by a software generated interrupt or SYSCALL, which triggers a hardware debug exception running at the highest level kernel privilege with full access to all parts of the computer.

Until today, developers have assumed that the operating system kernel's interrupt handler is in an uninterruptible state.

This is not the case, and is an "oversight made by operating system vendors due to unclear and perhaps even incomplete documentation on the caveats of the POP SS and MOV SS instructions and their interactions with interrupt gate semantics," Peterson and Mulasmajic wrote.

Operating systems and hypervisors for Intel and AMD processors are affected by the coding flaw, the United States Computer Emergency Response Team (US CERT) said.

Attackers who exploit the flaw can crash the operating system kernel, read protected system memory, and take full control of computers.

The researchers also found further instruction pointer leaks that could be leveraged into loading and running unsigned kernel code on Microsoft Windows.

However, to exploit the vulnerability, attackers must first be logged onto the target system.

Major operating system vendors such as Apple and Microsoft have issued patches for the vulnerability, along with open source projects such as Linux and FreeBSD/Dragonfly BSD.

Virtualisation vendors VMware and Xen have also patched against the vulnerability, and Intel has updated its Software Developer Manuals for x64/IA-32 processors to clarify how the above instructions work.