Researcher: Intel fixed two critical flaws in its chips
Russian author set to demo how he could take advantage of bugs at conference
Computerworld - A Russian researcher who plans to demonstrate this fall how he could take advantage of flaws in Intel Corp.'s chips, said the chip maker has told him it has fixed two critical bugs.
Kris Kaspersky, an IT consultant and the author of Hacker Disassembling Uncovered and Data Recovery: Tips and Solutions, is booked to make the demo at the Hack In The Box Security Conference in October in Kuala Lumpur, Malaysia. Kaspersky said he can use the flaws in Intel CPUs to launch a remote attack against a computer -- regardless of what software platform it runs.
On Friday, Kaspersky told Computerworld that he has been communicating with Intel about the flaws for nearly a month and the company has told him that it fixed the two critical flaws he brought to Intel's attention. Both of the flaws -- one in the cache controller and one in the Arithmetic logic unit -- could be used by a remote attacker to execute arbitrary code, according to Kaspersky.
He said about a dozen other noncritical bugs that are not remotely executable remain. According to Kaspersky, Intel does not plan to fix them.
Intel did not immediately respond to questions about the existence of the flaws or whether they have been fixed.
In an interview last month, Intel spokesman George Alfs said, "We have evaluation teams always looking at issues. We'll certainly take a look at this one. ... All chips have errata, and there could be an issue that needs to be checked. Possibly. We'd have to investigate his paper."
In a summary of his presentation, Kaspersky charged that such CPU bugs actually have damaged computer hard drives without users' knowledge.
"I think if people [are] aware about bugs, they [will] force Intel to fix them," said Kaspersky. "I was asked [to] not make POC code publicly available, and I think this is a good point. I was asked [to] not reveal tech info, but [I] disagree, because installing protections on [the] ISP side will prevent all possible attack[s]. ... Revealing tech details will not cause chaos and mass-attacks, so I'm going to reveal a lot of -- but not all."
He added that he will provide some fragments of POCs to explain how the attack works and how to reproduce it, but he will not provide enough so hackers could download ready-for-use POC and run it.
In a previous interview, Dan Olds, an analyst at Gabriel Consulting Group Inc., said that if Kaspersky's allegations are true, everything from PCs to servers could be at risk.
"These allegations are serious and, if true, certainly a cause for concern," added Olds. "Just the fact that this is being widely publicized will act as an enticement for hackers to exploit the alleged weaknesses in the processors. That said, I believe that the author may be entering into the land of hyperbole when he says that these bugs can be exploited regardless of operating system or other security measures. That certainly needs to be proven."
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Mobile Applications Case Study: 8 Billion Transactions a Day The story documents how the online brokerage company tradeMONSTER created a custom mobile app and the success gleaned from this initiative. Also covered...
- Who's afraid of the big (data) bad wolf? Survive the big data storm by getting ahead of integration and governance functional requirements This paper provides a detailed review of the best practices clients should consider before embarking on their big data integration projects.
- Understanding big data so you can act with confidence Automating information integration and governance and employing it at the point of data creation helps organizations boost confidence in their big data.
- Live Webcast Best Practices for the Hyperconverged Enterprise Network To the Age of Constant Connectivity and Information overload
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Mobile Apps and Devices Slash Customer Cycle Time Consolidated Engineering Laboratories' field employees used to collect data on triplicate forms that were sometimes hard to read and difficult to manage. After...
- Cloud Knowledge Vault Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources... All Knowledge Center White Papers | Webcasts