Roy Schestowitz wrote:
> __/ [ Larry Qualig ] on Wednesday 14 June 2006 13:58 \__
>
> > Roy Schestowitz wrote:
> >> Intel: Driver flaws no major threat--yet
> >>
> >> ,----[ Quote ]
> >> | Flaws in driver software may be worrisome and a potentially serious
> >> | threat, but security experts at Intel see no need for alarm. At least,
> >> | not yet.
> >> |
> >> | In a recent experiment, researchers at the Santa Clara, Calif.-based
> >> | chipmaker searched for publicly known vulnerabilities in drivers for
> >> | Microsoft's Windows operating system. They also hunted for malicious
> >> | code that took advantage of those security holes. In particular, they
> >> | wanted to find problems in kernel-level drivers and exploits that would
> >> | give an attacker full rein over a vulnerable system.
> >> `----
> >>
> >> http://news.zdnet.com/2100-1009_22-6083511.html
> >
> > The dishonest thread title has been corrected.
> >
> > <quote>
> >
> > In a recent experiment, researchers at the Santa Clara, Calif.-based
> > chipmaker searched for publicly known vulnerabilities in drivers for
> > Microsoft's Windows operating system. They also hunted for malicious
> > code that took advantage of those security holes. In particular, they
> > wanted to find problems in kernel-level drivers and exploits that would
> > give an attacker full rein over a vulnerable system.
> >
> > The search came up almost empty.
> >
> > "It was difficult to find something that was useful for us," David
> > Schulhoff, a senior information security specialist at Intel, said
> > Monday in a presentation at the Computer Security Institute's annual
> > NetSec event. "There really are not that many Windows kernel-mode
> > driver vulnerabilities out there."
> >
> > Other security experts agree with Intel's assessment.
> > </quote>
>
> I only now realise that my cursory look at the title and the first paragraph
> had me misled completely. Apologies about that one. having said that, I came
> across sentences such as:
>
> ,----[ Quote ]
> | Another problem was that many of issues found were old flaws in third-party
> | software. "Actually getting the vulnerable code proved to be impossible,"
> | he added.
> |
> | Also, many of the vulnerabilities Intel looked at were flaws that were
> | local, meaning attackers had to have on-site access to the PC, and that
> | allowed them only to elevate their system privileges. These issues can't
> | be ignored, but aren't nearly as serious as vulnerabilities that let
> | hackers commandeer a computer remotely.
> |
> | [...]
> |
> | Ultimately, Intel researchers found a vulnerability in a Microsoft driver
> | called TCPIP.sys, a part of Windows. Microsoft provided a fix for that
> | "critical" flaw in April last year, in security bulletin MS05-019.
> | Malicious code for the security problem is publicly available.
> |
> | [...]
> |
> | Though Intel researchers didn't manage to commandeer a computer with
> | kernel-level malicious code, that doesn't mean there is no need for people
> | to be wary of such issues, Schulhoff said. On his Windows machine, he
> | found 336 ".sys" driver files in the Windows System folder. Of those,
> | 218 were created by Microsoft and 24 by other companies he would trust,
> | he said--but 94 others were questionable.
> |
> | "That is certainly a concern. Who is putting this code on your system?
> | And can you count on them to write secure code?" Schulhoff said. Also,
> | he said it is not uncommon for developers to write drivers that don't
> | access hardware, but perform some other task on the machine. That could
> | mean more untrusted sources of driver code on a computer.
> |
> | [...]
> |
> | The threat level may change, the Intel experts said. However, that may
> | take a while, since attackers likely will first exploit the low-hanging
> | fruit--the vulnerabilities in other software that are easier to take
> | advantage of than the device driver bugs, said Alan Ross, a lead security
> | architect at Intel.
> |
> | "When device driver malware may come into play is once there are
> | effective mitigations for the user mode stuff," he said. "But I don't
> | even want to give a time frame."
> `----
>
> So it is not crystal clean, either. That said, the subject line was *not
> deliberately* misleading. Again, I truthfully apologise.
Not a problem at all Roy. This was a *very* decent thing to do.
Have a great day.
|
|
