Remember the Chernobyl virus, also known as “CIH” after the initials of its author, a certain Mr Chen Ing Hau of Taiwan?
CIH was the first virus that succeeded in directly and deliberately damaging your computer hardware by purposefully reprogramming your BIOS chip with garbage machine instructions.
The BIOS is the chip that contains the low-level software that is the very first thing to run when your computer fires up, so trashing it stopped your PC from loading up at all.
Ironically, the CIH virus didn’t have to find and exploit any security holes – there was generally no formal protection against writing to the BIOS back in those days.
You didn’t need to hold down a special hardware switch, enter a user-selectable password, or update with a cryptographically signed blob of firmware code.
The only protection was a sort of “security through obscurity” system that required a specific but publicly documented sequence of memory accesses and timings to activate BIOS writes.
This was a precaution intended to prevent programming accidents, but not to keep out crooks.
Well, the spectre of CIH is back in the news following a recent security advisory, numbered INTEL-SA-00087, from chip maker Intel.
In the sort of awful jargon-splattered non-English that characterises so many technical documents these days, Intel writes:
Configuration of SPI Flash in platforms based on multiple Intel CPUs allows a local attacker to alter the behavior of the SPI Flash, potentially leading to a Denial of Service. This issue has been root-caused, and the mitigation has been validated and is available.
In plain English, we think this means the following:
Due to a low-level programming bug in your computer’s CPU, the memory chips relied upon during startup could be sneakily and unexpectedly filled with garbage.
This would almost certainly stop your computer working properly, and perhaps even stop it booting up at all.
Intel claims it has figured out what actually caused the bug in the first place, which means that it has not only come up with a fix, but is also confident that the fix deals with the problem properly, rather than just being a bodge that happens to work for now.
Good news and bad news
The good news is that Intel itself found and researched this problem, and there is no evidence that any crooks have yet figured it out.
In other words, it’s not a so-called zero-day, where crooks are already exploiting the bug in advance of anyone else knowing about it, and therefore in advance of any fixes being available.
More good news is that, according to Intel, messing with the startup flash memory in your computer, this vulnerability is classed as a DoS, short for denial of service.
Generally speaking, DoSes don’t allow crooks to break into your network, implant malware, snoop on your activities or modify data.
So, DoSes usually aren’t as risky as RCEs (remote code execution holes) or EoPs (elevation of privilege bugs), where crooks may be able to wander in and then poke around at will.
But there’s bad news here, too.
Most worrying is that Intel doesn’t make it clear how serious the DoS might be if this bug is ever exploited by cybercrooks.
If your SPI flash is unexpectedly modified and your computer won’t boot up normally, what then?
Back in 1998 and 1999, many motherboards damaged by the CIH virus couldn’t be fixed at all, because they had no emergency provision for restoring a minimal-but-working BIOS to permit a patch to be installed.
On a significant proportion of motherboards, the affected chips couldn’t be removed for reprogramming, couldn’t be reprogrammed in place, and couldn’t be forced to revert to a “last known good” configuration to make them updatable again – in short, many afflicted motherboards were toast.
Intel isn’t saying what proportion of modern devices might be in the same boat.
Also worrying is the fact that Lenovo, which sells a vast array of different computers equipped with vulnerable Intel chips, has gone one step further than calling this a DoS, using more worrying words than Intel’s:
An attacker could manipulate the vulnerability to prevent a system from booting, to cause it to operate in an unusual way, or execute arbitrary code during the system boot sequence.
In other words, Lenovo isn’t ruling out the possibility of a crook taking over the bootup process in a systematic way, rather than just trashing the flash to stop your computer working properly.
(There’s a big difference between a computer “that doesn’t work properly” and one that “definitely works improperly”!)
What to do?
Unfortunately, updating against bugs like this is a bit like fixing holes in Android – the owner of the technology not only has to identify the problem and figure out how to patch it, but also to convince a sprawling ecosystem of manufacturers, integrators, suppliers, vendors and so on to push out the actual fixes in their chosen ways.
So watch for updates from your device vendor or supplier and apply any patches or system updates as soon as you can.