LAS VEGAS. Unknown to tens of millions of users, a hidden security vulnerability has been lurking on many Intel-based Windows PCs for the past six years.

The vulnerability was found by researcher Rafal Wojtczuk from security firm Bromium. Wojtczuk announced his findings at the Black Hat security conference here in Las Vegas. According to Wojtczuk, the vulnerability he re-discovered was actually first exposed and patched six years ago, albeit only on Linux systems.

The vulnerability involves the unsafe use of an Intel CPU instruction called 'sysret'. The risk is that if left unpatched, an attacker could have executed a user-to-kernel privilege escalation attack. In such an attack, the attacker could potential get system access and then execute arbitrary code.


In an interview with eSecurity Planet, Wojtczuk noted that only Intel 64-bit chips are at risk and not chips from AMD. He explained that when Intel was implementing the 64 bit specification they made a slight, subtle change in the semantics.

"Intel's position is that there is no bug on their side," Wojtczuk said. "The semantics are very explicitly documented in their manuals and it behaves as documented. However the semantics of the instructions are counter-intuitive."

The fix first landed in the Linux kernel in 2006 and has remained in place ever since, but only on Linux. For users of Windows 7 as well as the open source FreeBSD and NetBSD operating system, it's another story. Up until six weeks ago, those operating systems were all at risk from the flaw that Linux patched six year ago. Wojtczuk noted that on June 12th all of the affected vendors patched their respective operating systems for the Intel privilege escalation flaw.

While the flaw has been present for six years, it's not clear if it was every actively exploited. Wojtczuk noted that after the June fix, at least one penetration testing framework now has a working exploit for the Intel flaw.

Additional Undetected Flaws?

While the Intel flaw that Wojtczuk is discussing at Black Hat has now been fixed, he warned that there are likely other such issues lurking inside operating systems today.

"I'm pretty sure that there are many more similar issues in mainline operating systems that can be found and are not yet patched," Wojtczuk said.

From Wojtczuk's point of view, the state of modern operating system security is not really satisfactory.

"Just look through the history of Microsoft advisories for privilege escalation attacks," Wojtczuk said. "They are getting more and more frequent and I'm pretty sure there are lots more of them out there, waiting to be discovered."

Some vendors attempt to limit the risk of privilege escalation attacks by way of application sandboxing. With the sandbox approach, an application and its privileges are restricted for use within a certain area on an operating system's memory surface. But Wojtczuk isn't enthusiastic about that approach.

"In the majority of sandbox cases, they still rely on enforcement provided by the operating system," Wojtczuk said. "That's the crucial weakness in the concept of the sandbox, so if there is a flaw in the operating system, the sandbox can potentially be bypassed."

Wojtczuk's research that led to the re-discovery of the Intel flaw wasn't just done as hobby. Wojtczuk works for Bromium, a company founded by virtualization pioneers from Xen that has an alternative solution to traditional sandboxing. Bromium is advocating a "secure by design" approach in which there is a security boundary that is not secured by the operating system. So even if an operating system vulnerability is found, the security that Bromium aims to guarantee will still hold.

"We don't trust the OS," Wojtczuk said. "We put sandboxes around the whole OS."

Sean Michael Kerner is a senior editor at eSecurity Planet and InternetNews.com, the news service of the IT Business Edge Network. Follow him on Twitter: @TechJournalist.