By jheary on Tue, 03/19/09
This is the scariest, stealthiest, and most dangerous exploit I've seen come around since the legendary Blue Pill! No, I'm not just trying to sensationalize this or spread fear, uncertainty and doubt. This is serious and represents a massive new security threat for us all. Security Researchers Joanna Rutkowska is planning to release a research paper + exploit code for a new SMM (System Management Mode) exploit that installs via an Intel® CPU caching vulnerability. Joanna, of blue pill fame, reported this on her blog. Joanna cleared it up for me that they are not releasing a SMM rootkit but rather a exploit. It will be up to some other folks to tie this in with a SMM rootkit like this one perhaps. The heart-stopping thing about this particular exploit is that it hides itself in the SMM space. To put that into perspective, SMM is more privileged than a hypervisor is and it's not controllable by any Operating System. By design, the operating system cannot override or disable System Management Interupt (SMI) calls. In practice, the only way for you to know what is running in SMM space is to physically disassemble the firmware of your computer. So, given that an SMI takes precedence over any OS call, the OS cannot control or read SMM, and the only way to read SMM is to disassemble the system makes an SMM rootkit incredibly stealthy! It is very much like the blue pill attack (the PC is living in the matrix which is under your complete control) except that SMM attacks are at an even deeper hardware level of abstraction than a hypervisor exploit! SMM has been around in Intel chips since 386 processors so if you'd like further education or history lesson here is a good article.
Read more here -->Link
