Rootkit hole left in Intel processors for 16 years

By on
Rootkit hole left in Intel processors for 16 years

Memory sinkhole leaves older chips permanently vulnerable.

Intel processors made between 1995 and 2011 contain a serious design flaw that could be used to install invisible rootkits, a researcher has discovered.

According to Christopher Domas, a security researcher with the Battelle Memorial Institute, the design flaw in Intel's processors can be exploited to install malware below operating systems and antivirus, which would be unable to detect it.

The mistake was introduced in in the Pentium Pro processor, released in 1995. Hardwired into the silicon, it has been staring kernel-level programmers in the face for years, Domas said.

"It's a forgotten patch to a forgotten problem, but opens up an incredible vulnerability," Domas said when he revealed the hardware bug at the Black Hat conference in Las Vegas last week.

The flaw allows attackers to run rootkit code at the lowest level on the computer, out of reach of the operating system, applications and hypervisors.

Specifically, the exploit for the flaw targets the low-level system management mode (SMM) in processors.

Domas discovered that accesses to system management memory could read and write to the local advanced programmable interrupt controller (LAPIC), something not normally allowed by hardware protections.

Domas was able to ultimately create a memory sinkhole where writes to it were discarded and reading from it returns a zero; with a special operating system driver, he managed to install a rootkit into the SMM.

Among other things, the rootkit could quietly oversee and record the user's every keypress, mouse click and download. Efforts to find and remove the rootkit from a computer can be blocked by the malware.

Intel spotted the error in its processor blueprints and corrected the issue in 2011. Chips built from January that year and onwards are not affected.

According to security specialist Jacob Torrey, operating systems can easily mitigate against the security hole at the hypervisor or virtual memory manager level, protecting themselves from criminals exploiting the design flaw.

Newer operating systems could easily introduce a patch for vulnerable Intel processors, Torrey noted.

Millions of Intel processors in older PCs and aging laptops are permanently vulnerable and cannot be updated - newer devices based on the Sandy Bridge architecture are not affected by the flaw.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, UK edition

Most Read Articles

Log In

  |  Forgot your password?