Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint Security //

Windows

5/10/2018
08:05 AM
Scott Ferguson
Scott Ferguson
News Analysis-Security Now
50%
50%

Microsoft, Apple & Others Rush OS Patches Following Debugging Debacle

Microsoft, Apple, along with several open source operating systems providers, plus a few hypervisor vendors, rushed patches out this week following a x86 chip debugging mistake.

Microsoft, Apple and other providers of open source operating systems had to rush out emergency patches this week after several vendors goofed on instructions for an Intel debugging feature, which, in turn, left all these OSs open to an attack.

Additionally, the mistake also affected several hypervisor providers as well.

Nick Peterson, a researcher with Everdox Tech, is being credited with noticing the flaw and alerting Intel and Microsoft initially, according to a May alert issued by CERT.

If left unpatched, the flaw could allow an attacker to "read sensitive data in memory or control low-level operating system functions," according to Tuesday's alert. It's not clear if a malicious attacker attempted to exploit the vulnerability, but it was severe enough that nearly all operating system vendors issues patches on the same day.

This not only included Microsoft Windows and Apple's macOS but a host of open source software as well from DragonFly BSD Project, FreeBSD Project, Linux Kernel, Red Hat, SUSE, Synology and Ubuntu.

That list also included Xen and VMware for their respective hypervisors.

At the heart of this issue is how these various software vendors responded to a debugging update that Intel was making to its x86-64 chip architecture. Specifically, it dealt with two parts of the x86-64 instruction set: MOV SS and POP SS. These instruction sets are also found in AMD processors as well.

Changes within MOV SS or POP SS can cause different behaviors within an operating system. As the CERT alert notes:

In certain circumstances after the use of certain Intel x86-64 architecture instructions, a debug exception pointing to data in a lower ring (for most operating systems, the kernel Ring 0 level) is made available to operating system components running in Ring 3. This may allow an attacker to utilize operating system APIs to gain access to sensitive memory information or control low-level operating system functions.

In addition to the alert, Peterson wrote an entire research note on this particular vulnerability.


The fundamentals of network security are being redefined -- don't get left in the dark by a DDoS attack! Join us in Austin from May 14-16 at the fifth-annual Big Communications Event. There's still time to register and communications service providers get in free!

Since all the operating systems are different, each company has sent out different alerts. Microsoft, for example, notes about the vulnerability in the Windows kernel and how it fails to handle objects in memory.

"An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," according to Microsoft's security alert.

One noteworthy issue of this vulnerability is that it can be exploited by a remote attacker. An attack would need to start on a PC or server that is already compromised.

In his report, Peterson noted that this could have been caused by incomplete instructions when it came to the debugging issue.

Related posts:

— Scott Ferguson is the managing editor of Light Reading and the editor of Security Now. Follow him on Twitter @sferguson_LR.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20001
PUBLISHED: 2020-08-04
An issue was discovered in RICOH Streamline NX Client Tool and RICOH Streamline NX PC Client that allows attackers to escalate local privileges.
CVE-2020-15467
PUBLISHED: 2020-08-04
The administrative interface of Cohesive Networks vns3:vpn appliances before version 4.11.1 is vulnerable to authenticated remote code execution leading to server compromise.
CVE-2020-5615
PUBLISHED: 2020-08-04
Cross-site request forgery (CSRF) vulnerability in [Calendar01] free edition ver1.0.0 and [Calendar02] free edition ver1.0.0 allows remote attackers to hijack the authentication of administrators via unspecified vectors.
CVE-2020-5616
PUBLISHED: 2020-08-04
[Calendar01], [Calendar02], [PKOBO-News01], [PKOBO-vote01], [Telop01], [Gallery01], [CalendarForm01], and [Link01] [Calendar01] free edition ver1.0.0, [Calendar02] free edition ver1.0.0, [PKOBO-News01] free edition ver1.0.3 and earlier, [PKOBO-vote01] free edition ver1.0.1 and earlier, [Telop01] fre...
CVE-2020-5617
PUBLISHED: 2020-08-04
Privilege escalation vulnerability in SKYSEA Client View Ver.12.200.12n to 15.210.05f allows an attacker to obtain unauthorized privileges and modify/obtain sensitive information or perform unintended operations via unspecified vectors.