Also, he says he found Intel's diary and is
totally telling everybody about that one thing. But seriously, we think Kris Kaspersky is being a bit of a tease here. He claims to have found a flaw in Intel's processors that would allow a hacker to bust up on a computer using JavaScript or TCP/IP, with no regard for what operating system the computer is running... only he won't say what it is. He's planning on unveiling the attack at the Hack In The Box conference in Malaysia this October, where he says he'll show working code that can take control of computers, all of which he plans to release publicly. The attack takes advantage of known errata in chips, which most vendors have a workaround for in BIOS, but not all. XP, Vista, Linux, BSD and Mac operating systems are all vulnerable, so we all get to run around panicking until October -- unless somebody figures it out first.
posted Jul 16th 2008 3:06PM
Looks like AMD has won this time.
^ I sure hope so! Or is it Kaspersky hasn't got to AMD yet? LOL
Is that true? Doesn't AMD use the Intel instruction set? That would mean it could be affected by this code. Looks like ARM/PPC/SPARC/etc. has won this time!
amd uses the same instruction sets yes, but they are implemented different. it is possible this just effects intel, which would be really cool (I have machines running on either). I'm not a fanboy of either even though I used to work for AMD, but each company has benefits to me (intel in mobile of course and amd for afforable desktops
AFAIK -only x86 and MMX and SSE and SSE2 and more SSE#
The attack is used on the errata found in the INTEL CPUs.. Unless AMD's errata are identical to Intel's, it likely will be rendered useless (unless modified). I'm sure it won't be long before more and more hardware-attacks are found as more and more people move toward alternative OS's .. This is a reason why I dislike CISC CPUs, and why RISC is a better alternative - less Points of Failure.
If Intel only didn't have so much money to plow through the issues it faced with CISC at the beginning ...
Intels present CPUs aren't CISC. Except for the Atom.
Also, PowerPC G4 and G5 weren't RISC.
They're Post-RISC/Post-CISC. They implement ideas from both ideologies.
Saying that RISC is better is sooooo 1980's
That's why I use my own home made chip.
and i make my own salsa!
Oh how I miss the PPC Mac...
mmmmhmmmm AMD tri-core !
im down =]
Hey, is that a Gibson?
If so, the password is definitely "god"
Love the pic. Hack the Planet!!
why not sex love or secret?
Hrmm. This seems pretty weak. Javascript or TCP/IP? So there is a Javascript command that he can run in any browser that can take over my computer?
Or some TCP/IP special signal?
I look forward to the follow-up story on this one.
Yeah I agree with Brian! - weak
JavaScript/ TCP/IP + Java ?
"The proof-of-concept attacks will show how processor bugs, called errata, can be exploited using certain instruction sequences and a knowledge of how Java compilers work, allowing an attacker to take control of the compiler. "
So what: a hacker can take control of the Java Virtual Machine compiler on my computer - NOW WHAT? Even if you could upload some code, compile it, and run it on my computer, it'd still be in the VM. What's Kris Kaspersky gonna do- break openoffice on everyone's computer?
Javascript still executes code on the CPU. Knowing how a set of javascript commands will be interpreted, and the processor errata, he can design a script to fall in to some of the holes.
That said, I'm not sure how he goes from errata -> stealing CC numbers or whatever.
From the looks of things, this article incorrectly ties javascript into the method that will be used. I get the feeling that this is more java based than anything, and it sounds like he uses a CPU exploit to gain control of the java compiler, then uses JAVA EXPLOITS to gain further control of the system. Either that or the other way around.
Frankly though, he says that these would be undetectable and unpatchable at the system level, but I have a hard time believing that OS makers can't figure out the specific problems presented by these bugs, and simple workaround to prevent them at the lower levels of the system.
Does it also provide free energy?
Seriously though, he must be a smart guy but you would think these people could find something useful to do with there time.
No but it blends and plays Quake.
-aedile-
My same thought. Cracking processors is the new perpetual motion / free energy announcement.
so is this bios level? does that mean efi is safe?
The password is UP UP DOWN DOWN LEFT RIGHT LEFT RIGHT A B START.
They can't do anything to my computer, though. I'm invincible. I'm also not connected to the internet.
I see what you did there...
FAIL.
B A start.
What did he do? I'm confused.
Isn't it ^ ^ v v < > < > X O? And where did the START come from? Are we talking about the same thing?
@ vileta2
The code for the original Contra is ^ ^ v v< >< >BA Start. Must be talking about two different things.
have i told you i've found the key to free energy, beer and sex but i won't tell anybody lol
So glad to be an AMD fanboy today.
Neo, you are the one!
thank you
best movie ever.
No, no it wasn't. It was good, but no Godfather/Braveheart/Saving Private Ryan. /Ace Ventura for good measure.
shat
wow that sounds pretty bad. take control of a computer using JavaScript? i will be interested to see the demo.
That form the movie Hackers?
indeed it is, zero-cool
I laugh so hard everytime I watch that movie :D
"OH NOES THEY IS BREAKING OUR TOWERS"
Do you now see why iPhone doesn't use intel? Steve jobs can see the future!
ya steve jobs sees the future.... and all macs run on intel.
wrong. Some run on powerpc. Fool
Puhleeze. First off, no further Macs at all use PowerPC, which is basically a dead platform for PC's now that the only thing out there using it that people still sell is the Xbox 360. Second off, you think Steve Jobs sees the future because of his reality distortion field when all he is doing is replicating stuff that has been going on for the past few years and making it more friendly. (Multi-touch? Do a search for Jeff Han. Graphical user interface for the first Mac? Do a search for Xerox's GUI. And so on.)
And to defeat your point completely, the iPhone tangentially is an Intel processor because basic architecture of its Xscale processor was developed by Intel. There.
Gotta do it....
Epi...err Legendary Fail.... Erik
dun dun dunnnnn...
Code that could control any computer in the world regardless of OS. Wow, i would say he better be careful, a lot of people will be after this.
I'll believe it when I see it successfully compromise a Linux machine and a Mac OS X system remotely, with no direct access to the hardware. Definitely an intriguing notion, though.
And by "Mac OS X system," I mean a legal, EFI-equipped box, made by Apple... not a "clone".
I wrote a greasemonkey script that finds the names of members of van halen and makes links out of them to google searches of their names. It also inserts a little "VH" logo next to it.
NOONE IS SAFE
yup just go ahead and tell every hacker out there instead of just informing the hardware manufactureres. So all of us with intel chips can get screwed.
no worries, big ass firm like that will go and shut him up lol
If he just informed the manufacturer, do you really think that the problem would be fixed in a timely manner? Seriously doubtful. However, give out the code, and all the sudden Intel has a strong NEED to fix the problem....
Some dude who just learned binary code for the same purpose is really pissed right now.
I bet if he used some of his time to "hack" womens panties he'd have a better life..... just sayin..
reminds me of the cartoon http://en.wikipedia.org/wiki/Wagon_Heels
"I know something I won't tell, I won't tell, I won't tell!"
HACK THE PLANET!!!!!
TOOL!
MEH! It's another case of someone wanting 15 minutes of fame. I hate these people with RIDICULOUSLY stupid claims. Whatever.
Yes! Gibson!
In before cyber doomsday!
Wow, my ten year old, G3 laptop that refuses to die will still be useful.
Bow, bow to your sensei!
MEH! Whatever. Another asshole trying to get his 15 minutes of fame. Fucking fake!
Seriously... isn't this guy being a little bit of a jerk? So instead of telling the ppl who need to know (read: Intel HP Apple Sony etc.) so that they can patch this gaping hole, he would rather grab attention for himself and tell the WHOLE WORLD how to gain access to ANY computer that just *happens* to run on THE most popular processor next to AMD.... doesn't that sound childish? I mean, there is obviously a huge risk here. Does Kaspersky not see his obligation to the computing world, or is he just an egomaniacal jerk? If he knows what's right he will (hopefully) tell the right people. Does anyone agree with me?
I disagree. If it turns out that this large flaw in chip design is real, then he should be paid quite a bit of money for his findings. Asking that he just turn over the details of the bug to Intel for free is just wrong. People need to be properly paid for their work, nothing is free.
No, I do not. You can use a government analogy for this one. Tell the people first and the man will respond very quickly to cover its own ass. Tell the man first and the people will never know how badly they were or are being screwed.
Intel already knows about it.
i sort of glad i have kaspersky AV then, so i should get the update as its releastd
Yea, this fool is starving for attention and must be certifiably nuts cuz this guy either doesn't even understand what kind of attention he will receive, criminal AND gov't wise or just has lost it, period.
It's in the Garbage file. Intel is responsible, they're just trying to blame it on hackers in order to collect on the insurance.
eh, he's probably hoping that he gets enough hype up that intel buys his silence for $1mil
Looks like the ps3/cell has won this time. Suck it 360!!!! ...................................................J/K
Yes...because the three core Xenon in the 360 is a special PowerPC based chip that is actually an Intel processor.
I thought it was funny. D=
Maybe he can fix my processor so I can run Crysis.
Kris Kaspersky IS Zero Cool!
I totally understand this guy's need to address that this is a big issue, but by keeping it to himself, he will draw criticism from many people; by releasing code to compromise systems, he can practically be charged with conspiring to commit terrorism the way this country is heading. Sure it's computer exploitation, but if will affect many businesses and people's lives in the US, then it's can be considered said offense.
And if you people think he doing this to get paid, I think he's just doing to punish Intel for not finding this bug.
Hey I completely agree. I wish to restate here that he does have an obligation to report this bug, as it were, to the proper parties. On a side note, he did not do any "work", in the state of on-the-books labor: by the wording in the article it would appear as if he discovered this on his own time, by no-one's request, by his own volition. That being said, if Intel/Apple/HP/MS wishes to pay him, more power to him. Nonetheless, if he wishes to "punish" Intel then I seriously think he should not take it out on the millions of businesses and individuals that use Intel's chips. And I do think that if computer forensics can prove (later) that a given act of computer sabotage/terrorism comes from this guy's publicly available code, then he should be persecuted for that.
I think you meant "prosecuted".
; )
Wow... with comments like these, no wonder you elected Bush twice.
Yes I voted for Bush.
Uh... To be honest I *woulda* voted for Bush too were I of age at the time... In fact it appears most people did.
And I did mean persecuted ( :) ) but prosecuted would be okay too I guess. But I have been hearing a lot of people say that Intel *already knows* about this bug. I hope that this is the case, because other comments on the original site state that it doesn't affect all operating systems, contrary to the article. Again, I hope this is the case.
Nonetheless, if it is a serious problem, then this guy is pretty much yelling out the instructions to the computing equivalent of an atomic bomb free of charge to anyone who will listen. Doesn't that seem a little... unethical?
@CubeGuy
stfu no you didn't...
OLD MACS FTW!!!
Hackers screenshot ftw
eh, he's not some anonymous dude looking for his 15-minutes of fame. It's Kaspersky.
And [although I agree with the sentitment] for those of you who are yammering that he should "forwarn" the manufacturers -- what good would it do if he's got a hack that circumvents everything down to the hardware level? It isn't like Intel can just send out a patch for our chips :) Hopefully I'm wrong, and whatever he's cooked up in his lair-^d^d-ab can be prevented through a software update. /shrug.
tomorrow in the news we hear that this man has mysteriously disappeared...and that also intel's chief engineers have gone to their other office in guantanamo.
I'm safe...my computer chip uses thousands of really tiny gerbils on tiny little wheels. Besides, I have GEICO.
I'm not saying I believe a word of this, but if he really did find something, then why do guys like this want to post it publically? What on earth is that supposed to accomplish by placing everyone at potential risk? Maybe he's talkin' bunk, but until we know for sure, "Thanks a lot ya boob for deciding to advertise your findings to every idiot out there. Way to contribute to society."
How about letting Intel know so they can fix it (if this truly is a real flaw), without creating a stir. If you find something that places people at risk, you don't go yelling it at the top of your lungs. You keep your big mouth shut and quietly provide the info to those who can do something about it without harming the rest of us.
(ominous music in the background).........and who said it was a flaw?.....(menacing)you guys dont know the half of it......(ominous music ends)
Don't you joke about this. Once he controls your CPU he'll use a quatum entanglement errata he found in the human genom to take over your brain by blinken lights. So better be good now, or he will be very, very angry ...
There is something wrong with this whole premise:
1) TCP/IP, in and of itself, does not pass executable code and have it directly executable by the CPU. If it does, it's a bug in the TCP/IP stack, not the CPU.
2) Javascript doesn't run native machine code. If it allowed native machine code through, it would be a bug/fault of the Javascript execution engine, not the CPU.
In either case, I call attention-whoring BS on this.
I bet the CIA/NSA is pissed about their backdoor being discovered.
Love the picture... GREAT MOVIE!!!
all talk no action...
i can hack up a super computer in 1 day!
why 1 day?
coz that damn computer is huge dude!!!
even with a big axe i still need lots of time.
Intel: "Mr. Smith, kill Neo know!".
Neo: "Ok ok, i won't tell..."
JavaScript is not the same as Java. JavaScript is not run on the virtual machine provided by Sun, but is interpreted by the browser itself (eg Firefox, Opera, IE).
I'm just waiting for the stream of "Hai, I'm in ur Java, sploitin' your errata" lolcats pictures. -_-
On the plus side, anyone falsely accused of copyright theft or child porn can point to this vulnerability and say EVERYONE can be hacked / framed.
Eventually we will be back to doing basic "computing" with a pencil, paper, calculator, compasses, rulers etc... and a little bit of brain power.