Microsoft, Apple and other providers of open source operating systems had to rush out emergency patches this week after several vendors goofed on instructions for an Intel debugging feature, which, in turn, left all these OSs open to an attack.
Additionally, the mistake also affected several hypervisor providers as well.
Nick Peterson, a researcher with Everdox Tech, is being credited with noticing the flaw and alerting Intel and Microsoft initially, according to a May alert issued by CERT.
If left unpatched, the flaw could allow an attacker to "read sensitive data in memory or control low-level operating system functions," according to Tuesday's alert. It's not clear if a malicious attacker attempted to exploit the vulnerability, but it was severe enough that nearly all operating system vendors issues patches on the same day.
This not only included Microsoft Windows and Apple's macOS but a host of open source software as well from DragonFly BSD Project, FreeBSD Project, Linux Kernel, Red Hat, SUSE, Synology and Ubuntu.
That list also included Xen and VMware for their respective hypervisors.
At the heart of this issue is how these various software vendors responded to a debugging update that Intel was making to its x86-64 chip architecture. Specifically, it dealt with two parts of the x86-64 instruction set: MOV SS and POP SS. These instruction sets are also found in AMD processors as well.
Changes within MOV SS or POP SS can cause different behaviors within an operating system. As the CERT alert notes:
In certain circumstances after the use of certain Intel x86-64 architecture instructions, a debug exception pointing to data in a lower ring (for most operating systems, the kernel Ring 0 level) is made available to operating system components running in Ring 3. This may allow an attacker to utilize operating system APIs to gain access to sensitive memory information or control low-level operating system functions.
In addition to the alert, Peterson wrote an entire research note on this particular vulnerability.
Since all the operating systems are different, each company has sent out different alerts. Microsoft, for example, notes about the vulnerability in the Windows kernel and how it fails to handle objects in memory.
"An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," according to Microsoft's security alert.
One noteworthy issue of this vulnerability is that it can be exploited by a remote attacker. An attack would need to start on a PC or server that is already compromised.
In his report, Peterson noted that this could have been caused by incomplete instructions when it came to the debugging issue.
Related posts:
- Microsoft's 4-Step Plan for Eliminating Passwords
- Microsoft's TCPS Project Looks to Secure IIoT & ICS
- Microsoft: Tech Support Scams on the Rise
- Microsoft Security Is Channeling the Terminator
— Scott Ferguson is the managing editor of Light Reading and the editor of Security Now. Follow him on Twitter @sferguson_LR.