back to article Intel papers over remote attack chip flaws ahead of demo

Intel has fixed a pair of flaws in its chips ahead of a planned demonstration of remote attacks on them by security researcher Kris Kaspersky. Kaspersky – no relation to the Russian security firm – was due to demonstrate the findings of his CPU malware research at the Hack in the Box conference Malaysia in October, in a …

COMMENTS

This topic is closed for new posts.
  1. E_Nigma
    Stop

    The power of press

    While AMD was given all that hell over their infamous TLB bug, zero consequences for Intel.

  2. amanfromMars Silver badge

    Place your Bets

    "It also casts Intel's denials of a warning by Theo de Raadt that flaws in the Core 2 architecture could be exploited in a new light. " ...... suggesting that they are even more serious than they originally discovered/thought/were told?

    Yes, I Think so whenever you can compromise the CPU right through to ITs Cores. Seems like the only way to Solve that is to Parachute in Crack Code Special Forces and/or Pay the Hack whatever IT Needs ....... for Further XXXXPloration of what would be Myriad Possibilities/Vulnerabilities/Opportunities.

    And if the Truth be Told, that would be the Cheapest Option by a Very Long Way. Anything Else has the Possibility, and I would even Share the More Definite Probability, of Costing an Absolute Fortune. And if the Truth be further told, that would not even be a Cost, it would be an Astute Investment that would make Absolute Fortunes.

  3. Anonymous Coward
    Alert

    Good for Intel (sort of)

    It's nice that Intel has gotten around to fixing vulnerabilities in their chips (after being shown the light), but it still seems that all of the ga-zillion existing Intel chips out there are still vulnerable. This looks like a hard-coded flaw to me, not something that could be patched by a BIOS update, for example. I don't suppose Intel will do much about that unless forced. (not that I really blame them, as a recall would make the Sony battery fiasco look like small potatoes in comparison)

  4. Dave
    Paris Hilton

    a balanced response by Intel

    This seems sensible and pragmatic, just wish I was as clever as KK and could earn squillions by promising not to reveal flaws / exploits that I had discovered ;-)

    PH is flawed and has revealed, did she earn squillions?

  5. Daniel B.
    Thumb Down

    Javascript?

    Ok, can somebody tell me how bad of an exploit this is, that something as inane as Javascript can trigger a HARDWARE exploit? Javascript isn't even compiled, let alone compiled into machine code!

    I really, really wish to see this über-exploit code, but it seems Intel just paid off KK's silence. Bad.

  6. Scott

    @Daniel

    All code must be compiled into machine code before it can be executed, including Javascript.

    I think your misconception comes from the fact that not all types of code are pre-compiled (or in other words, converted into a ".exe" file). Javascript and PERL are two well-known examples of these languages. These are still compiled, however, at runtime.

    By knowing how these compilers will react to certain bits of code, it is theoretically possible to exploit bugs at the hardware level.

  7. Darren Starr

    OS and Browser vendors work around bugs all the time

    There is no executable code in a TCP/IP packet. This is pure simple fact. The code becomes executable by exploiting code that processes and propagates the packets. Therefore any of these bugs are obviously patchable within the TCP/IP stack. So forget that angle of attack. The operating system vendors should be made aware of the problem of course though.

    There is no executable code in either Java or JavaScript. It has to be interpretted or compiled by the system to be executed. Both Java and JavaScript interpretters/compilers are developed by vendors whom work around operating system security holes all the time. There's just no point in making a deal about this. Just patch the holes and all is good.

    Let me also point out that taking advantage of JIT compilers can be used to compromise processors without bugs as well.

    So, would someone please tell me how this is an issue?

  8. Michael Wojcik Silver badge

    @Scott

    "All code must be compiled into machine code before it can be executed, including Javascript."

    Nonsense. There are plenty of language implementations that are pure interpreters. They may tokenize source as they parse it, and then operate on the token stream; but the only machine code that's executed is that of the interpreter itself.

    CPUs only execute machine code, but it is possible, indeed common, to build programming-language implementations that don't execute directly on the CPU.

    And nothing in the ECMAScript standard demands that it be JIT-compiled.

  9. Anonymous Coward
    Anonymous Coward

    So they've patched the remotely exploitable issues

    That was bound to happen eventually...

    So I'm more concerned about the claim that the CPU is causing damage to the hard drives. I can't say I'm surprised that something was found to be screwing up harddrives - although I'll admit to being surprised it is the CPU.

This topic is closed for new posts.

Other stories you might like