Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?

Another PIII ID Exploit Found 93

Peter Hernberg writes "We, it looks like someone has found another exploit to get your PIII ID. The new story is here.. " Cyrix and AMD are looking shinier each day.
This discussion has been archived. No new comments can be posted.

Another PIII ID Exploit Found

Comments Filter:
  • by Anonymous Coward
    Symantec calls the ZKS demo an Trojan even though ZKS clearly explain what it is. There is no "hidden" behavour, it is explained on the ZKS's website.

    This action by Symantec appears to be politically motivated due to partnerships(?) with Intel.
  • I guess Intel figures what's good for M$ is good for them.

    Why acknowledge that there are gaping security holes when you can just convince everyone that its a virus? There's already a precedent...can you say Word Macro-Virus? Can you say ActiveX? Prople seem to think they're helpless in the face of a "virus" when they should be howling to get the security holes fixed.

    Phew! *lights smoke* that rant felt good.
  • "Step 3--The user's computer downloads the ActiveX code and simulates a 'Blue Screen' crash, a [[generally benign event most users are familiar with]] and that would not necessarily arouse suspicions. The user's computer is rebooted at this point. Unknown to the user, the Active X control has placed on the computer a 'Trojan Horse' designed to bypass Intel® 's Pentium Serial Number control utility and place the user's Pentium® Serial Number in a cookie that can be read by Web sites on the Internet."

    I find this rather funny. I guess those guys have never lost hours worth of new code or gameplay time when their windows machine locks mysteriously.
  • It's designed for computers that have an older BIOS which doesn't have the option to disable the CPU ID before boot.

    Timur Tabi
    Remove "nospam_" from email address
  • AMD is looking very nice...

    I've recently Been looking for Components for a new SMP box I'm putting together. It seems that Intel is really pushing the PIII. A quick search on pricewatch shows that prices for the lower MHZ PIII's are in line with the Faster PII's.

    I Chose the PII 450. I didn't want to bother with re-wiring and overclocking a Celeron300a.

    I'm waiting to see what the K7 will be like....
  • This is rich:

    Software virus not needed, Hardware virus built in!

    What next?
  • Make sure the Pentium® III computer you own has a BIOS that allows you to turn off the serial number. There is currently no known way to read the serial number if you have disabled it in the BIOS.

    Oh? I can see some bios flashing virus leave that claim to shame. Beware of sploits.
  • I never bought Intel's line that this has anything to do with security.

    Personally, I think it has more to do with tracking stolen or overclocked chips. I'm pretty indifferent too all of it. Intel's only mistake seems to be to try to sell the public on this sort of thing. Especially for security purposes.

    I wonder what it would take to 'emulate' a Pentium on a Pentium, and forge the ID?

  • It would become evident on one level or another I think when whatever Powers That Be started exploiting hidden chip id's for whatever nefarious purposes they have in mind. The minute they blast someone in court after tracking them down via the chip id, the cats will be out of the bag and on their way to Slashdot.


  • My question is this... would the anti-virus software detect the exploit if it were coded differently? I'm sure that the details of this will soon make their way to many cracker sites. What happens then? Do we hope that Norton and the other anti-virus people can keep up?
  • The stated goal of the PIII ID is for use in the consumer market as a unique identifyer for e-commerce. It has nothing to do with 'entering a high-end server market' or any inability to split the two. Clearly Intel is capable of setting up dual product lines for servers and consumers, witness the Celeron and PII.

    The issue that everyone is uncomfortable with is the default settings for default users, people like your mom and dad who just want to run windows and forget about it, maybe buy a book off of amazon every so often.

    If people can take advantage of these, the script kiddies and hAXors and the rest will take what they can. Yes, I can feel safe inside of my secure linux box, but I cannot bless or condone the threat that intel would like to pose to others who are not as fortunate as I...

    It is not a fair compromise to disable the chips if you can't disable them in the first place. (I don't much think it's a good solution anyway, but if you do, they should still fulfill that obligation)
  • "...why should Windows/Intel users have to buy another piece of software to protect themselves from a potential security problem in the processsor? "
    Uh, because they were unwise enough to buy the processor?

  • I wonder what the virtual cpu under VMware looks like to this ActiveX control? Anyone have the setup to test this?
  • If the anti-virus stuff is smart it will just check for an incosistant setting inthe IDenable bit and scream back to the user after fixing it. This could be done on boot and periodically while running....
  • You make some good points, and for the most part I agree with them. However, I don't think Intel's asking Symantec to include the exploit in their virus list is an attempt to undermine ZeroKnowledge, but rather is an attempt to protect the owners of PIIIs. There's no way to avoid someone malicious from using the exact same exploit to steal people's ID numbers. If the antivirus program can warn about it, then people won't get taken advantage of by sites whose purpose is not legitimate.

    Of course, life would be much better for all involved if ActiveX were to die a quick death. Unfortunately, I don't see that happening anytime soon.

  • well, the P3s are roughly 10% faster than a P2 at the same clock rate. Plus you get the SSE instructions (which nobody really uses yet, so there's no immediate benefit from SSE at this time, except graphics drivers which I've heard can get boosts of 25%).

    Dual 350s or so would be better, as far as cost/performance I'd imagine (the slower FSB on the 333s would probably make the 350s a better deal). But then you have to run an SMP-aware OS, which is no biggie for most of us, but might be for all those people who want to run Win98 so they can play those games they can't get running well under NT or WINE)
  • Dig a little digging on their page. Turns out this exploit:

    a) crashes the user's machine b) installs code to bypass the PIII feature c) uses that to set a cookie and display it to other websites.

    Intel may have been correct - this has all the earmarkings of a trojan.. and regardless of who publishes it, it still remains one. But it's still incredibly petty of them to have symantec put a patch out for *just* the zero knowledge program. A real solution would be to have symantec develop an algorithm to warn the user of *any* attempt to bypass the PIII control panel, not just zero knowledge's ones.

    Sorry intel, close - but no cigar.

  • It doesn't have to be craptivX that runs this, right? I can write a windows mail program that enables the PIII serial number during its installation and secretly signs each E-mail you send with the serial number, right? Of course, I'd probably just use the Windows serial number for that but it's nice to have my options open...

    Sign the email with the PIII serial number, the Windows serial number, and any software Id codes you can find. Collect as many of these as you can.

    Then look for duplicate software id codes from different PIII/windows serial numbers. Use the ethernet number in the windows serial number to look up the IP number. Resolve the IP number back to a service provider. Fill out a warrent for information from the service provider. Retrive home addresses and send out the boys in blue to collect the hard evidince in the form of the computer PIII, ethernet card and hard drive.

    It would be easy enough for M$ to hide a macro viris like VB code in the latest patch/OS that would send the email. The rest of the process could be automated right up to emailing the local police a request for a search warrent with all the relevant information attached.

    Now if this happens to anyone do you think they could sue M$ for theft of services in running the email marco viris on their personal computer? Whoever has most $ for the lawyers wins.
  • I wonder what it would take to 'emulate' a Pentium on a Pentium, and forge the ID?

    Not much, probably. Ultimately, it's the communications software that's trusted, not the hardware. If a web site wants to know what your CPU ID is, it can either: 1) Ask the browser, or 2) have the client download a piece of trusted code (a signed ActiveX, perhaps) which queries the CPU ID and sends it back, possibly encrypted.

    Either case is easy to spoof. In the first case, you just patch the browser, and have it send a spoofed ID. In the second case, you modify the browser to trap the ActiveX download, and then have it patch the ActiveX in memory to spoof the ID. The patched ActiveX then happily encrypts your spoofed ID, and sends it back. There's no way the web site can know what happened.

    Granted, the second exploit is harder to pull off, but no harder than taking advantage of a buffer overrun, or disabling software copy protection, and both are provably doable.
  • actually, no, i'ts not even close. however much antivirus sw vendors may keep bragging about their heuristic virus detection algorithms, it's ultimately a lost game (and equivalent to the halting problem for turing machines, to boot). there's no way any piece of software can identify all possible bits of code that will simulate a bsod and and retrieve the p3 number before intel's program turns it off.

    i have to agree with the "it's a trojan" side of things, too; this program just demonstrates that whenever you run untrusted binary code on your system, it can fuck you up. big news... NOT.

    the real problem is not with having a serial number on p3's, it's with idiotic Intel trying to sell the idea that browsers should retrieve this number and pass it around.

    I look forward to the day mozilla has the ability to do this, so I can hack it (or get patches, I'm sure many people will be making those) to send random numbers.

  • yeah i remember them. i hear a fourth album is coming soon, too.
  • Okay, so, they run some native code that they
    have to beg me to give permission to run
    (ignoring the fact that if I were to give some
    other ActiveX control the same permission it
    could just read my registry, hard drive directory,
    and install a keyboard monitor to catch my credit card numbers) which installs a program (I am assuming here) that will turn on my PIII serial number when I reboot..
    Of course, if I had a PIII I would have the program that turns the serial number off in my bootup so that it was always turned off as my computer boots...
    Sorry, just not very worried. The PIII serial number is pure, liquid evil, but this "exploit" is a joke.
  • Using ActiveX was a good way for them to make their point as MS is still the most popular OS/Browser for the average user.

    I'm willing to bet that this could just as happily been done in assembler or C. (Admittedly, this would make it a pain to use over the Web, but Java may work just as well.)


  • I believe that "Windows Update" does exactly what you suggest.
  • This has been out for almost 2 months now. It was on HNN [] back in March. Funny how the mainstream just got a hold of this...
  • What a ridiculous attitude. This exploit can not effect you unless you already are willing to download and execute (?!) foreign code. If you do those sorts of things, then nothing that Intel puts in their chips is going to lessen your privacy or security.
  • Actually, they don't claim they can read the PSN if it is disabled in BIOS. In the FAQ, under "How can I protect myself", they say:
    Make sure the Pentium® III computer you own has a BIOS that allows you to turn off the serial number. There is currently no known way to read the serial number if you have disabled it in the BIOS.

    If you do not have the ability to turn off the serial number in the BIOS, do not rely on the PSN control utility to keep the serial number private. Please contact your manufacturer and ask for an update to your BIOS.

    I believe you are correct that the exploit is not limited to ActiveX.
  • For this reason I think Linux is ultimately doomed. Maybe my hacking skills are not quite up to it but I've been trying to write a Linux version of M$ BSOD for months now and I just can't get to work. Getting the text and colour right was a snitch. But everytime I find a way to totally hang the box Linus breaks my code by fixing the kernel. Can anyone help with this ?
  • > I guess those guys have never lost hours worth of new code or gameplay time when their windows machine locks mysteriously.

    I would guess that it happens all the time, but that they just think it's normal.
  • What the hell? It's ok now for Intel to just declare things it doesn't like as viri and bully the Anti-Virus makers into doing their dirty work? Here you go DOJ, do your worst against this NOT so Phantom Menace. While I can appreciate INTEL's investment in Linux by working with RedHat and Cygnus, this goes to far. I'm not sure I want that kind of Dirty Money in our Community. I guess it's not a far away day when Intel will be telling us what's good for us by forceing SuSE & RedHat into stuff they don't want to do. I dunno, I call BullShit Intel, time for you to drink!
  • I would have to argue that given the legal atmosphere today, You can surely expect to be sued or brought up on charges in some way if there was one stupid user that didn't like it. Boston, for example, is trying to sue Gun Manufactures for the cost incured in providing free health care to some of the less affluent victims of Gun shot wounds. Does that really make sense? Is there anyone on this planet that doesn't know that guns were designed to KILL. Look at the states v. tobacco settlement. If a company made something and sold it with out any misrepresentation, they would still be held responsible for the Consumer's Stupidity. If another company were coerced into makeing a blocking product then I think it's clear that there is a monopolistic tendency there. I guess now, the big question is, "Does Intel have any fingers in the 'Net Filtering software to filter out anti-intel sites?" - That's not even close to paranoid in light of the NAV thing.

  • I thought that was a nice touch. Nothing quite like a little paranoia.

    For a company as powerful as they are, I was really impressed with Intel's behavior up until fairly recently (the last couple years.) It seems like they are really pushing the limits in the same way MS does (not that they are explicitly unethical but they dance close enough to the line that it makes you question it)

    I can understand some things, they are being attacked by a lot of different companies on a lot of different levels but it's getting pretty bad. Semantic has no reason at all to list this program as a virus or a trojan, Intel needs to come up with a better scheme.

  • I think the zeroknowledge example code has
    been around for a while now. The real news today centers around the discovery of Intel
    getting the antivirus people to declare the
    zeroknowledge stuff malicious.

  • One other thing:

    If Intel really wanted to use the PIII for nefarious purposes, why would they go to all this trouble to stop someone using it for nefarious purposes?? I mean, I enjoy conspirary theories as much as the next person, but they are just a *game*.

  • jovoc wrote: "Uh.. it crashes the computer, but only with your consent. There are big bold letters warning you that this will happen if you press "ok". "

    Yes; and if I copied the ActiveX control and put it on a webpage saying click here to see my comments on slashdot, then that would also crash your computer. There is a difference between the HTML and the ActiveX control. I'm assuming the Symantic/Intel and co aren't saying that visiting that webpage is bad, just that running that ActiveX control is bad. Good for them. It is bad. And if you want to ignore the warnings of an anti-virus program, go for it. But don't complain when something that you didn't want to happen happens.

    jovoc wrote "Heh, under that definition, Windows itself is quite a virus. "

    In case it wasn't clear, I meant intentionally crashes your computer. If a bug in the program causes the computer to crash, it's clearly not a virus.

  • by MSackton ( 26533 ) on Thursday April 29, 1999 @03:11PM (#1910770)
    I have to say, I fine all the disgust over Intel's PIII id somehow overstated in the linux community and these recent comments seem to be the worse.

    Intel has asked that anti-virsus people list as a virus a program that *crashes the users computer without their consent*! What definition of virus are people using such that this doesn't qualify? Not only does it crash the user's computer, it reveals information that the user doesn't want revealed. If instead of revealing the PIII, this
    program searched for Quicken documents and mailed them to a hotmail account, would be be saying that
    whoever makes Quicken shouldn't call it a virus?

    I agree that on general principle the PIII id isn't a wonderful idea, but I can understand why Intel did it. Most high-end computers (Sun, SGI, Alpha?, etc) ship with some sort of unique id, for licensing purposes. The only reason people don't get upset about that is that they are not person computers, but servers, so they cannot be linked to an identity. Intel wants to enter that market,
    and CPU ids are needed. But they then anger the consumer market. What should they do? The road they took (disable to PIII id, unless you need it for a server) seems like a air compromise. Why is everyone so upset at them?

    Finally, under an real operating system, this sort of exploit would be useless unless it was run as root. And if you go web browsing as root, you deserve what you get :-)

    Mike Sackton
  • Well, yes and no. From what I've read, this exploit (however u spell it) relies on some ActiveX program running on your local machine. AFAIK, there is little ActiveX support for Netscape (there are commerical plug-ins, but I'll be damned if I pay money just to use ActiveX docs).
    The "virus" may have to be integrated into the Flash BIOS to fake out the ID. That would mean the "virus" would be BIOS specific, perhaps even machine specific (definately a roll-your-own-virus program :) ). Anyone got an easier idea?
  • > Intel has asked that anti-virsus people list as
    > virus a program that *crashes the users computer
    > without their consent*!

    Uh.. it crashes the computer, but only with your consent. There are big bold letters warning you that this will happen if you press "ok".

    Heh, under that definition, Windows itself is quite a virus.

  • Maybe there is no deliberate intent to discredit Zero Knowledge, but why should Windows/Intel users have to buy another piece of software to protect themselves from a potential security problem in the processor?

    As a side note -- how long until someone comes up with a similar piece of code that IS malicious and is NOT publicly announced?

    I see this as an unfortunate example of corporate cost/benefit analysis. It's too expensive to go back and fix the security problem or remove the ID altogether. Just declare the code which exploits it as potentially mailicous, then partner with a software company to develop protection against it. It's a win-win for everyone except the customer, who ends up gouged.

    Everyone (including Intel, I'm sure) knows that the Right Thing is to fix the problem and release PIIIv2, but that's expensive and it's bad PR to admit a problem (everyone will want a free replacement).

    Maybe my expectations are too high, but stuff like this makes the "Ralph Nader" in me a little angry.
  • by DonkPunch ( 30957 ) on Thursday April 29, 1999 @11:21AM (#1910774) Homepage Journal
    It is disturbing how some companies react to people who find flaws in their product.

    Remember the Internet Exploder control? It was an ActiveX component which, when loaded with a web page, would count down ten seconds and shut down a Windows computer. The creator did it for the sole purpose of demonstrating potential security dangers with ActiveX.

    Microsoft and Verisign threatened the guy with court action for obtaining a Verisign certificate under false pretenses. Never mind that part of his demonstration was just how easy it is to obtain such a certificate.

    Now Intel has declared Zero-Knowledge's little demo to be a virus or trojan. Apparently, the goal is to discredit them. The worst part is that I think just about everyone saw it coming before they even got to "Intel's response" part of the article.

    Here's the obvious part of my comment -- this tactic is pretty foreign to the Free Software community. It seems that most security problems with Free operating systems are received with, "thank you," and then they are FIXED. If you actually write a program which demonstrates the problem, you're a hero. No one attacks your credibility or motives. In fact, you are likely to GAIN credibility.

    Of course, by posting this here I'm pretty much preaching to the choir. :)
  • Just to add/refute abit on the 'obvious part' of your comment. The tactic of hauling in a legal team is different than that taken in free software. However, there is a very split set in the security sector on the appropriate way to find and discuss bugs.

    Almost monthly, you'll get flames start up Bugtraq about this. Bugtraq is a full disclosure unix security list - often, raw exploits are posted to it, or tools that someone used to replicate a problem they may have found in software (free or not). Very often, you'll have the author - a vendor, a coder, or a maintainer - or another person bitch about this, because they weren't given prior notice or warnings, etc. Example: The lsof bug of February ( thread starts here []).

    These threads sometimes, in fact, revolve around people posting for credit or ego/status. While Intel is acting very different, our free movement is not always the clean "thank you" we'd like. However, that's often justified - especially with free software, its better to come bearing patches rather than problems.

    Of course, regardless, our bugs get fixed faster. []
  • Actually, since word is really just a bloated virus breeding ground, I sudgest they list micorsoft word as a virus.

    I have had to tell many many people, sorry, I can't help you recover your document. It was eaten by a word macro virus." At which point they leave the room crying because they spent the last 2 years writing that thesis. . . .
  • For those people out there without the honorable intent that Zer0Knowledge has, I think Nav popping up a warning when this type of control is a good thing. Last time I checked (which was a while ago...) I could copy X controls and use them on my site.


  • o my my..

    as if i was not easy enough to identify as some insane /.er you can say hi to my office too. now won't my boss be happy about the security breach?! this will prevent several banks from doing online banking for a good while once the top brass find out about it. so much for e comerce. stuff like that is what keep a lot of companies off of the internet in the first place. if intel really wanted to sell the idea of the internet and their chips as business sales tools then the really should take a few clues from the financial world and do their damnedest to keep security and privacy specs up to date.

    you know, that is just all i need.. as if it was not easy enough to spot a red dress and lapel pin insignia..

    if you don't look at the fnords, they won't eat you.
  • Symantec declares this as a Trojan. It doesnt harm anything. This is just abuse of power by Symantec and Intel.
  • Isn't is easier to get to ring0 the CIH way (modify IDT, generate exception)? I guess
    you wouldn't have to reboot that way (I can't test it ;-)
  • CIH source still at:

    (sssh! don't tell anyone)
  • If Intel can write a utility in software that lets you enable or disable the PID, then obviously any program with access to the hardware (like on Win95) can do the same. Just a matter of disassembling that utility.

    It is nowhere stated that the PID is retrieved before the reboot.

    So there's nothing about this 'exploit' that gives any new insights.
  • Uhh, i think you should visit the page, because it is quite apparent that you haven't. The claim is that it will extract the PID even if you've disabled it through software or BIOS. I say claim because I can't exactly try it myself: I running dual Pentium II's, which is a lot cheaper than a Pentium III. I would also extrapolate that the ability to extract the PID is not limited to ActiveX; I imagine that one could write a trojan that could do the same thing.
  • On a related sidenote, NAV gets really obnoxious when you try to visit the Zero-Knowledge page about the exploit. It harrassed me at least 3 times before letting me view the page. I suppose it would be useful if it were malicious, but in this case, I think it's just really stupid and really annoying...
  • Can't agree more...I just upgraded by K6 233 to a dual Pentium II 333 for hundreds of dollars less than it would cost to upgrade to a Pentium III...I suppose I might be missing the benefits of SSE (after all, you do need a Pentium III to surf the web and type letters...), but when I run NT (and hopefully Linux, if I can ever successfully compile SMP support into my kernel), my box can eat Pentium III's for lunch...

The best book on programming for the layman is "Alice in Wonderland"; but that's because it's the best book on anything for the layman.