Source code

Almost all major OS vendors released security patches yesterday after a researcher discovered that some OS makers have misinterpreted an Intel CPU debug feature and left their systems open to attacks.

The vulnerability is in how the OS vendors implemented a hardware debug mechanism for Intel x86-64 architectures —and more specifically the MOV SS and POP SS instructions.

"In certain circumstances after the use of certain Intel x86-64 architecture instructions, a debug exception pointing to data in a lower ring (for most operating systems, the kernel Ring 0 level) is made available to operating system components running in Ring 3," the CERT/CC team explained in an advisory published yesterday.

Explained in layman's terms, "this may allow an attacker to utilize operating system APIs to gain access to sensitive memory information or control low-level operating system functions."

OS vendors coordinate and release patches at the same time

Operating systems that mishandle this debug exception and had their systems open to attacks include Apple, Microsoft, FreeBSD, Red Hat, Ubuntu, SUSE Linux, and other Linux distros based on the Linux Kernel —which is also affected.

Further, the issue also made it into virtualization software like VMWare and Xen. CERT/CC has a page dedicated to the patch status of each affected vendor.

Fixing the bug and having synchronized patches out by yesterday was an industry-wide effort, one that deserves praises, compared to the jumbled Meltdown and Spectre patching process.

Unclear and incomplete docs deemed cause of the problem

The issue —tracked as CVE-2018-8897— is not remotely exploitable, and an attacker needs to have already infected a PC with malware or must have access to a logged-in account to run the malicious code that exploits this vulnerability.

In the best case scenario, an attacker could elevate the access privileges of his code to kernel level, and then use this access to perform other operations.

The issue was discovered by Nick Peterson of Everdox Tech, LLC. Both Peterson and the CERT/CC team blamed the "unclear and perhaps even incomplete documentation" relating the use of the MOV SS and POP SS instructions, as the main reason why this bug made it into the kernels of so many different operating systems, practically in the same way.

Peterson published a PDF report detailing the bug in more depth.

Related Articles:

Google and Microsoft Reveal New Spectre Attack

New Spectre Attack Recovers Data From a CPU's Protected SMM Mode

Intel to Allow Antivirus Engines to Use Integrated GPUs for Malware Scanning

Intel SPI Flash Flaw Lets Attackers Alter or Delete BIOS/UEFI Firmware

Here We Go Again: Intel Releases Updated Spectre Patches