A pair of Israeli employees at Intel Lab's research arm in Haifa found a security vulnerability last year that affected eight major computer-systems manufacturers.
Intel’s Benny Zeltser and Yehonatan Lusky reportedly discovered what is now called 'RingHopper' last year, but the vulnerability was not officially announced until manufacturers were given a chance to patch their systems.
The vulnerability was detected in boot firmware, allowing code to be executed at the System Management Mode (SMM), which provides unlimited access to all system memory.
SMM access allows code to be executed by the computer without being controlled by the operating system (Windows, macOS or Linux). Since most virus and malware detection software is run by the operating system, this vulnerability would allow malicious code to run unseen by those security systems.
Zeltser and Lusky found that the SMM process could be manipulated to change the original request through a “time-of-check to time-of-use” bug. It involves checking the state of one part of the system and using the results of that check to perform another operation.
In the RingHopper vulnerability, the result of that check is able to be modified to allow access to SMM.
While potential exposure was widespread in terms of affected systems, it was somewhat limited because of the boot sequence, requiring either physical access to the computer as an administrator or to exploit a prior vulnerability to compromise parts of the security system.
The two security research lab partners researchers planned to share detailed findings of their research last year, including a demonstration of the vulnerability at the BlackHat and DefCon cybersecurity conferences. They intentionally delayed their full presentation, but disclosed a sufficient amount of detail to allow security researchers to create patches first.
Zeltser and Lusky will be demonstrating the vulnerability at Microsoft's upcoming BlueHat IL cybersecurity conference in Tel Aviv at the end of March.
The pair initially thought the security vulnerability was contained to Intel’s systems, but they decided to test systems from other manufacturers and found the same issue.
“This allows you to change anything on the computer, even on Linux. The only computers that do not suffer from the problem are made by Apple,” the researchers said.
The All Israel News Staff is a team of journalists in Israel.