近日，波兰知名美女黑客Joanna Rutkowska成为安全业内焦点人物，她在博客上发表一篇论文，曝光了一个英特尔CPU的缓存漏洞。而另一位安全研究人员Loic Duflot将在加拿大温哥华举行的CanSecWest安全大会上介绍该漏洞和攻击代码。

　　如果这一漏洞被证实存在，黑客就可利用该漏洞获得对电脑近乎至高无上的控制权，并且不受任何操作系统控制、关闭或禁用。毋容置疑，此时杀毒软件将毫无用武之地。黑客的攻击范围，可能覆盖Vista、XP、Windows Server、Linux或BSD等任何一个装有英特尔CPU的操作系统，这无疑会给所有安装英特尔计CPU的用户带来极大恐慌。据悉，目前全球计算机系统中，英特尔CPU的市场份额占到85%以上。

　　庆幸的是，Joanna Rutkowska是一个被归为“灰帽黑客组织”的漏洞挖掘和研究人员，这类天才们往往以安全研究人员自居，他们常常把发现的漏洞曝光，或交给微软官方，从而推动软件厂商积极修补漏洞。

　　然而，如果这些高危漏洞被另一些属于“黑帽组织”的漏洞挖掘者发现的话，后果将会很糟糕。这类人一般会为了金钱而把挖掘到的漏洞卖到黑市，结果极有可能是漏洞落到商业黑客手中，从而引发网络疫情。。因此，在互联网黑色产业链条中，技术最高、威胁最大的从业者并非是木马作者，而是“黑帽组织”中的漏洞挖掘者。

　　360安全专家表示，目前互联网90%以上的网络威胁都是在利用用户机器内的漏洞，可以说漏洞是互联网目前的威胁之源。如果把计算机系统比作人体，修补漏洞就相当于注射抗病毒疫苗，而杀毒软件仅仅是外用药品，只能治病却不能提供免疫能力。因此，要从根本上保障电脑安全，就必须及时安装微软和第三方软件厂商提供的最新漏洞补丁。

　　360安全卫士作为国内最大的网络安全平台，不但能将必须的微软最新漏洞补丁第一时间发送到2亿用户电脑中，而且还能经常截获利用0Day漏洞（官方发现但尚未提供补丁的漏洞)的最新木马病毒，并为用户提供修复漏洞的临时补丁。如前不久微软IE7、GDI+等0day漏洞被曝光后，360都先于微软给用户提供了临时补丁，有效遏制了木马的大面积感染。

　　360安全专家表示，针对此次英特尔CPU可能存在的缓存漏洞，360安全中心将严密监测近期的网络疫情，并同时关注英特尔公司就此漏洞的官方回应。一旦英特尔方面证实该漏洞的存在并推出相应补丁，360安全卫士将在第一时间将该补丁推送到2亿用户的电脑桌面，提醒用户及时修复漏洞。

附：曝光英特尔CPU漏洞的Joanna Rutkowska博客文章：
Friday, March 13, 2009

Independent Attack Discoveries

Next week's Thursday, March 19th, 1600 UTC, we will publish a paper (+ exploits) on exploiting Intel® CPU cache mechanisms.

The attack allows for privilege escalation from Ring 0 to the SMM on many recent motherboards with Intel CPUs. Interestingly, the very same attack will be presented by another researcher, Loic Duflot, at the CanSecWest conference in Vancouver, Canada, on... Thursday 19th, 1600 UTC. BTW, this is a different SMM-targeting attack than the one we mentioned during our recent TXT talk and that is scheduled to be presented later this year.

Here's the full story (there is also a moral at the end) …

Just after our presentation at the Black Hat last month, we (i.e. Rafal and I) have been independently approached by some person (or two different persons — we haven't figured that out actually — there were some ca. 30 people willing to ask us questions after the talk, so it's hard to remember all the faces), who was very curious about our SMM attacks (whose details we haven't discussed, of course, because Intel is still working on a fix). This person(s) started asking various questions about the attacks and one of the questions, that was asked to both me and Rafal, was if the attack used caching. Later that day, during a private ITL dinner, one of us brought this issue, and we started thinking if it was indeed possible to perform an SMM attack via CPU caching. By the end of the dinner we have sketched out the attack, and later when we got back to Poland, Rafal implemented a working exploit with code execution in SMM in a matter of just a few hours. (I think I used way too many parenthesis in this paragraph).

So, being the good and responsible guys that we are, we immediately reported the new bug to Intel (actually talking to Intel's PSIRT is getting more and more routined for us in the recent months ;). And this is how we learnt that Loic came up with the same attack (back then there was no talk description at the conference website) — apparently he approached Intel about this back in October 2008, so 3-4 months before us — and also that he's planning to present it at the CanSecWest conference in March. So, we contacted Loic and agreed to do coordinated disclosure next Thursday.

Interestingly, however, none of us was even close to being the first discoverer of the underlying problem that our attacks exploit. In fact, the first mention of the possible attack using caching for compromising SMM has been discussed in certain documents authored as early as the end of 2005 (!) by nobody else than... Intel's own employees. Stay tuned for the details in our upcoming paper.

Conclusion

If there is a bug somewhere and if it stays unpatched for enough time, it is almost guaranteed that various people will (re)discover and exploit it, sooner or later. So, don't blame researchers that they find and publish information about bugs — they actually do a favor to our society. Remember the guy who asked us if our attack used caching? I bet he (or his associates) also have had exploits for this caching bug, but apparently didn't notify the vendor. Hmm, what they might have been doing with the exploit? When was the last time you scanned your system for SMM rootkits? ;)

Anyways, congrats to Loic for being the first one who wrote exploits for this bug. Also congrats to Intel employees who originally noticed the problem back in 2005. posted by joanna at 1:22 PM