Intel's embattled new processor is taking another beating.
Canadian software developers claim they've figured out a way to bypass security measures that the company says protect the Pentium III's controversial serial number.
Montreal-based Zero Knowledge Systems said Wednesday that a small ActiveX program can bypass the company's control utility.
According to Zero Knowledge, "the exploit places the serial number in a cookie file to demonstrate how easily a malicious attacker could activate or steal a user's serial number, even when the Intel utility indicates the ID number is turned off."
The Pentium III is Intel's new flagship processor, but even before release it had been something of a PR disaster. It heralded the addition of a unique serial number as an e-commerce security measure. However, privacy-rights groups say that the number actually undermines online security for users. These groups say the only way to remedy the problem is to pull the chip from the market and remove the number.
Instead, Intel (INTC) has released a patch that allows users to "turn off" the serial number. That patch, Zero-Knowledge claims, only leaves users vulnerable.
"Our research shows that Intel's patch can actually leak out your serial number even when it tells you that you're safe," Austin Hill, president of Zero-Knowledge Systems, said in a statement. "We are very concerned about the public's ability to protect their privacy while using a Pentium III."
Zero Knowledge said it demonstrated the patch's vulnerability by hiding the ActiveX control in a banner ad. When users click on the ad, the control simulates a computer crash. But at the same time, a "Trojan Horse" designed to bypass Intel's protections is loaded onto the computer.
Rebooting the computer gives the ActiveX control the opportunity it needs to grab the serial number and place it on a cookie.
Intel spokesman Tom Waldrop said the Zero Knowledge hack didn't appear to be significantly different from the flaw discovered two weeks ago by the German magazine c't. Waldrop said it looked like both hacks exploited a software control utility to turn the serial number on and off. "If someone was so motivated and had the time and the resources, they could indeed find a way to sneak a look at someone's serial number," said Waldrop. In the end, all software can be attacked."
Zero Knowledge Systems is preparing to release Freedom, a subscription-based service that uses multiple layers of strong encryption to enable users to surf the Internet in complete anonymity. The system will support a level of privacy never before possible on the Internet.
