Tag Archives: BIOS

Responding to the recent ZombieLand 2 TSX Vulnerabilities

These vulnerabilities can only be exploited by attackers who have already compromised a system. Practice standard security precautions and install updates from hardware vendors and for your software (links provided below) when they become available. Resolution for vendors that offer cloud computing will have a more involved decision making process to consider (see below).

Early last week, security researchers disclosed security researchers disclosed further vulnerabilities within Intel’s processors.

How severe are these vulnerabilities?
These vulnerabilities ca be classed as medium severity. An attacker must already have compromised your system in order to exploit these vulnerabilities. This most recent set of vulnerabilities collectively known as ZombieLoad 2 or Transactional Synchronization Extensions (TSX) Asynchronous Abort affect Intel processors produced in the last approx. 2.5 years (August 2017 onwards).

For full technical details of these vulnerabilities, please see this page from Intel and this page from the security researchers. In summary these vulnerabilities according to the researchers allow “a malicious program to exploit internal CPU buffers to get hold of secrets currently processed by other running programs” leading to “these secrets such as browser history, website content, user keys, and passwords, or system-level secrets, such as disk encryption keys” being used by other running programs.

Of particular note are the performance implications for protecting virtual machines. If your organisation is running potentially untrusted code within virtual machines, protecting that environment will incur a performance penalty. You may need to carry out a risk assessment to determine if enabling these performance reducing mitigations outweigh the risk of putting your virtual machines at risk. Nested virtual machines will be most affected by the performance penalty.

How can I protect my organisation and myself from these vulnerabilities?
These most recent vulnerabilities can be mitigated by updating the firmware (defined) of your system. This is sometimes referred to as the UEFI / BIOS (defined) of your system.

They will be made available separately by the manufacturer of your motherboard of your system for servers, desktops and laptops or the motherboard (defined) manufacturer for any custom-built systems you may have. You will have to determine from the updates those vendors issue if they are available for the products that you own.

In addition, operating system vendors and virtualisation software vendors have made patches available (links provided below).

Thank you.


HP Enterprise:

Fedora (referring to the Xen virtual machine (see also below):

Red Hat:













Performance impact to Xen:

Security advisory:

Further information:

VMware Performance Impact Statement addressing mitigations for Machine Check Exception on Page Size Change (MCEPSC) CVE-2018-12207:

APT28 Group Distributes First in the Wild UEFI Rootkit

Update: 6th February 2019
In mid-January, the IT news website; The Register provided details of an analysis of this threat from the security firm Netscout. They concluded that they believe the malware utilising the UEFI rootkit began as long as 2 years ago:

In addition; the command and control (C2) (defined) infrastructure originating from this threat remains operational but has reduced from 7 servers to 2. The attackers also have further servers and reserved IP addresses ready to use should they need to.

Thank you.

Original Post:
In late September; researchers from the security/anti-malware firm Eset discovered the first UEFI (defined) rootkit (defined) being used in the wild (namely being present on computing devices used by the general public in their professional and personal lives).

The APT group known as APT28 (who we discussed before on this blog) has been named as being responsible for this advanced threat being distributed to victim systems located in the Central Europe, Eastern Europe and the Balkans.

Why should this threat be considered important?
While this threat is so far limited to targeting systems in Central Europe, Eastern Europe and the Balkans; it has the potential to set a precedent to dramatically increase the persistence of malware on selected systems. This is due to the fact that to save time malware removal usually involves re-installing the operating system. More advanced users may choose to re-create the MBR/GPT, replace the boot sector and rebuild the BCD. Even more informed users may replace the hard disk to remove the malware. This new threat is significant since all of these steps would not remove it.

Eset researchers discovered that the LoJack anti-theft software which was installed compromised systems was being leveraged to start the attacker’s malware instead by using the Windows registry (defined) to load files with very similar names to that of the legitimate LoJack software. They also located a kernel (defined) driver (defined) being used to write the systems firmware when required. Since this tool was a legitimate tool; it has a valid digital signature. This is significant; otherwise the attacker’s tool would not have worked on a 64 bit Windows system. Should attempts to write to the firmware fail, the malware uses a 4 year old vulnerability CVE-2014-8273 (a race condition (defined)) to bypass the write lock.

Once the firmware has been updated it replaces the original LoJack software files with hijacked versions designed to enable further persistence on the compromised systems, namely a backdoor (defined).

How can I protect myself against this threat?
While it is less likely a threat of this sophistication will become widespread; the steps below will help to defend you against this and similar threats in the future. How this threat establishes an initial foothold on a system was inconclusive by Eset. However exercising caution on the links you click in emails, IMs and social networking should provide some form of prevention. Keeping your system up to date should also prevent a drive by download (defined). However I will detail more specific defensive steps below:

Eset determined that this threat can be prevented from affecting a system by enabling the Secure Boot hardware security feature (if your system has this feature available; most systems manufactured from 2012 onwards do). Any system with a certified Windows 8 or Windows 10 badge on the outside will have Secure Boot enabled with no action required from you. Secure Boot works even better when paired with Intel BootGuard (corporate users are more likely to use/enable this feature).

If the rootkit had affected the system described above it would have then refused to boot due to Secure Boot being enabled. It’s important to clarify that Secure Boot won’t prevent the infection/tampering but it will prevent that tampering from starting the system for use as normal.

Secure Boot was added to Windows 8.0 in 2012 to prevent unsigned components (e.g. rootkits) from affecting a system so early in the boot process that anti-malware software would be unable to detect or prevent that component from obtaining a privileged level of access over the system.


Keeping the UEFI firmware of your system up to date will assist with resolving known vulnerabilities within the firmware. Patching known firmware vulnerabilities makes your system less vulnerable to low level attacks such as this. Please only install UEFI firmware updates from your system vendor. Check the vendor’s website or contact them to determine if you need a UEFI firmware update and how to install it. If possible/available verify the checksum (defined) of the file you download matches the vendors provided checksum. I use the word available above since not all vendors provide checksums of the firmware updates they distribute which would allow you to verify them.

More recent Intel motherboards (defined) are not vulnerable to the race condition by Eset in their paper (more details available here). These modern chipsets feature a Platform Controller Hub (present in Intel’s Series 5 chipsets and later (available circa 2010 onwards).

If you know of a system affected with such a low level threat you may be able to update the UEFI firmware with a known safe version from the vendor but this is not guaranteed to work. Replacing the hardware will be a more reliable alternative.

Thank you.

Details of Spectre Next Generation (NG) Vulnerabilities Emerging

Update: 23rd May 2018:
Please refer to the new blog post I have added to document and provide information on these new vulnerabilities.

Thank you.

Original Post:
Separate to my previous in-depth discussion of the Meltdown and Spectre vulnerabilities; I located this news article announcing the discovery of new vulnerabilities affecting Intel CPUs (and possibly ARM CPUs too). Few details are available; apart from that the vulnerabilities also affect Intel’s SGX (Software Guard Extensions)(defined) instructions and can be exploited within a virtual machine (defined) to gain access to the host (physical system).

It is likely further microcode updates from Microsoft and firmware update from Intel will be made available in the coming weeks. It is unknown if these new vulnerabilities dubbed Spectre Next Generation (NG) will be as serious as the original Meltdown and Spectre (Variants 1 and 2) disclosed in January.

On a related note (and discussed in another post); Microsoft resolved a regression in their Windows 10 Meltdown patch that was found by Windows Internals and security researcher Alex Ionescu. The fix was already included in Windows 10 Version 1803 (the April Update) and was provided to Version 1709 this month.

Thank you.

Responding to the Meltdown and Spectre Vulnerabilities

Please scroll down for more updates to this original post.
Update: 23rd May 2018:
For information on the Spectre NG vulnerabilities please refer to this new blog post

Thank you.

Original Post:
Earlier in January updates for Linux, Apple and Windows were made available to work towards addressing the 3 security vulnerabilities collectively known as Meltdown and Spectre.

Why should these vulnerabilities be considered important?
I’ll provide a brief summary of the two categories of vulnerabilities:

Meltdown (CVE-2017-5754): This is the name of the vulnerability discovered that when exploited by an attacker could allow an application running with standard privileges (not root or elevated privileges) to read memory only intended for access by the kernel.

Spectre (Variant 1: CVE-2017-5753 ; Variant 2: CVE-2017-5715): This is a category of two known vulnerabilities that erode the security boundaries that are present between applications running on a system. Exploitation can allow the gathering of information from applications which could include privileged information e.g. usernames, password and encryption keys etc. This issue can be exploited using a web browser (e.g. Apple Safari, Mozilla Firefox, Google Chrome, Microsoft Edge (or IE) by using it to record the current time at very short intervals. This would be used by an attacker to learn which memory addresses were cached (and which weren’t) allowing the attacker to read data from websites (violating the same-origin policy) or obtain data from the browser.

Browser vendors have responded by reducing the precision of JavaScript timing and making it more unpredictable while other aspects of JavaScript timing (using the SharedArrayBuffer feature) have been disabled.

More in-depth (while still being less technical) descriptions of these issues are available here , here and here.

How can I protect myself from these vulnerabilities?
Since these vulnerabilities are due to the fundamental architecture/design of modern CPUs; it is not possible to fully address them. Instead a combination of software fixes and microcode updates (defined) is more a viable alternative than re-designing the established architecture of modern CPUs.

In-depth lists of updates available from multiple vendors are available here and here. I would suggest glancing at the affected vendors and if you own a device/product from them; checking if you are affected by these vulnerabilities. A list of BIOS (defined) updates from multiple vendors are available here. Google Chrome has a Site Isolation mode that can mitigate these vulnerabilities which will be more comprehensively addressed in Chrome version 64 scheduled for release last this month.

At this time my systems required updates from Google, Mozilla, Microsoft, Apple, VMware, Asus, Lenovo and Nvidia. Many of many existing desktops are unlikely to receive microcode and BIOS updates due to be more than 3 years old. However my Windows 10 laptop has received a BIOS update from the manufacturer.

Are there disadvantages to installing these updates?
While these updates increase security against these vulnerabilities; performance issues and stability issues (Intel and AMD) after the installation of these updates have been reported. These vary in severity but according to Intel and Microsoft the updates will be refined/optimised over time.

Benchmarks (for desktops) made available by TechSpot show negligible impact on most tasks that would stress a CPU (defined). However any work that you perform which makes of large files e.g. databases may be significantly impacted by the performance impact these updates have when accessing files on disk (mechanical and solid state). For laptops the slowdown was felt across almost all workload types. Newer and older silicon were inconsistently impacted. At times even some Intel 8th generation CPUs were impacted more than 5th generation CPUs.

Details of the anticipated performance impact for Linux, Apple macOS (and iOS) and Windows are linked to. Further reports of reduced performance from Intel and Apple devices have also been recorded. Further details of a feature known as PCID (Process-Context Identifiers) within more recent CPUs which will help reduce the performance impact are provided here. For Intel CPUs, 4th generation Core CPUs and later should include it but any CPU manufactured after 2011 should have it (one of my CPUs; a Core i7 2600K has this feature, verified using Sysinternals Coreinfo). A full list of Intel CPUs affected by these vulnerabilities is here.

With the widely reported stability and performance issues present it is your decision if you install the necessary updates now or wait until further refinements. If you experience issues, please report them to the manufacturers where possible and within online forums if not. More refined updates will only be created if a need to do so is established.

I’m in the process of updating my systems but will benchmark them before and after each updates to determine an impact and make a longer term decision to keep the updates or uninstall them until further versions become available. I’ll update this post as I gather more results.

Update: 16th January 2018:
A newly released free utility from Gibson Research (the same website/author as the well-known ShieldsUp firewall tester) named InSpectre can check if your Windows system has been patched against Meltdown and Spectre and can give an indication of how much the performance of your system will be affected by installing and enabling the Windows and/or the BIOS updates.

Please note: I haven’t tried this utility yet but will this weekend (it will help with the tests I’m carrying out (mentioned above). I’ll update this post when I have tried out this utility.

Thanks again.

Update: 24th January 2018:
As promised I gathered some early results from a selection of CPUs and the results for all but recent CPUs are evidence they will experience a potentially noticeable performance drop:

CPUs supporting PCID (obtained using Sysinternals Coreinfo):
Intel Core i7 Extreme 980X @ 3.33 GHz
Intel Core i7 2600K @ 3.8 GHz
Intel Core i5 4590T @ 3.3 GHz
Intel Core i7 6500U (laptop CPU) @ 2.5 GHZ

CPUs supporting INVPCID (obtained using Sysinternals Coreinfo):
Intel Core i5 4590T @ 3.3 GHz
Intel Core i7 6500U (laptop CPU) @ 2.5 GHZ

Explanations of the purpose and relevance of the PCID and INVPCID CPU instructions are available from this Ars Technica article. The results from InSpectre only show positive results when both PCID and INVPCID are present backing up the observations within the above linked to Ars Technica article (that the updates take advantage of the performance advantages of these instructions when both are present).

The results from InSpectre back up these findings by stating that the 980X and 2600K will not deliver high performance protection from Meltdown or Spectre. Since my PCs are mainly used for more CPU intensive tasks (rather than disk intensive) e.g. games and Folding@Home; I still don’t expect too much of a performance decrease. The older CPUs are due for replacement.

You may ask; “why am I so concerned with the performance impact of these updates?” The answer is that significant time and investment has been made into the above systems for them to perform at peak performance for the intended tasks I use them for. Performance and security are both very important to me and I believe there should only be a small trade off in performance for better security.

My next step will be to benchmark the CPU, hard disk and GPU of each system before and after installing each update. I will initially do this for the 6500U and 2600K systems and provide these results. The categories of updates are listed below. I will keep you informed of my findings.

Thank you.
Update 1: Software updates from Microsoft for Meltdown and Spectre
Update 2: Firmware update (where available)
Update 3: Nvidia / AMD GPU driver update

Update: 13th February 2018:
Sorry for the long delay (I was travelling again for my work). The above benchmarking is now taking place and I will make the results available as soon as possible. Thanks for your understanding.

Update: 27th February 2018
Earlier last week Intel made available further microcode updates for more CPUs. These updates seek to address variant 2 of the Spectre vulnerability (CVE-2017-5715). Updates are now available for the CPUs listed below.

As before, please refer to the manufacturer of your motherboard of your system for servers, desktops and laptops or the motherboard manufacturer for any custom built systems you may have to determine if these updates have been made available for your specific systems. Further information for corporate system administrators containing details of the patching process is available within this link (PDF):

  • Kaby Lake (Intel 7th Generation Core CPUs)
  • Coffee Lake (Intel 8th Generation Core CPUs)
  • Further Skylake CPUs (Intel 6th Generation Core CPUs)
  • Intel Core X series (Intel Core i9 CPUs e.g. in the 7900 and 7800 model range)
  • Intel Xeon Scalable (primarily targeted at data centres)
  • Intel Xeon D (primarily targeted at data centres)

Information on patches now available for OpenBSD and FreeBSD are located within the following links:

OpenBSD mailing list
The Register: OpenBSD Patch now Available

FreeBSD Wiki
Softpedia: Spectre and Meltdown mitigations now available

Update: 1st April 2018
As vendors have responded to these vulnerabilities; updates have been released for many products. I will describe these updates in more detail below. Apologies if I have omitted any, this isn’t intentional but the list below should still be useful to you:

Google ChromeOS:
Following the release of ChromeOS 64 in February which provided updates against the Meltdown and Spectre vulnerabilities, ChromeOS 65 includes further mitigations against these vulnerabilities including the more efficient Retpoline mitigation for Spectre variant 2.

Sony Xperia:
In late February Sony made available updates which include mitigations for Meltdown and Spectre for their Xperia X and Xperia X Compact phones which brings the build number to 34.4.A.2.19

Microsoft Issues Microcode Updates:
As previously mentioned when this blog post was first published; updates for the Meltdown and Spectre vulnerabilities are made up of software updates, microcode updates and firmware (BIOS updates) and GPU drivers.

Due to the complexity of updating the firmware of computer systems which is very specific and potentially error prone (if you apply the wrong update to your device it can render it useless, meaning it will need to be repaired/replaced (which is not always possible) Microsoft in early March began to issue microcode driver updates (as VMware describes they can be used as substitutes for firmware updates). Microcode updates have been issued in the past to address CPU reliability issues when used with Windows.

Intel Firmware Updates:
As with previous microcode updates issued by Intel in late February; these updates seek to resolve variant 2 of the Spectre vulnerability (CVE-2017-5715).

While Intel has issued these updates; they will be made available separately by the manufacturer of your motherboard of your system for servers, desktops and laptops or the motherboard manufacturer for any custom built systems you may have. You will have to determine from the updates those vendors issue if they are available for the products that you own.

Unfortunately not all systems will receive these updates e.g. most recent system was assembled in 2014 and has not received any updates from the vendor; the vendor has issued updates on their more recent motherboards. Only my 2016 laptop was updated. This means that for me; replacing the systems gradually is the only means of addressing variant 2 of the Spectre vulnerability.

Intel’s updates are for the Broadwell (5th generation CPUs i.e. 5000 series) and Haswell (4th generation CPUs i.e. 4000 series).

Microsoft Surface Pro:
Earlier this week Microsoft released firmware updates for their Surface Pro which mitigate the Meltdown and Spectre vulnerabilities. This link provides further details and how to install the updates.

Microsoft Issues Further Security Update on the 29th March:
As noted in my separate post; please refer to that post for details of a security update for Windows 7 SP1 64 bit and Windows Server 2008 R2 SP1 64 bit that resolve a regression (an un-intentional coding error resulting in a previously working software feature no longer working, alternative definition here) which introduced an additional elevation of privilege (defined) security vulnerability in the kernel (defined) of those Windows versions.

Microsoft Offers Bug Bounty for Meltdown and Spectre vulnerabilities:
Microsoft have announced bug bounties from $5000 to $250,000 to security researchers who can locate and provide details of exploits for these vulnerabilities upon Windows, Azure and Microsoft Edge.

If such a programme is successful it could prevent another instance of needing to patch further related vulnerabilities after the issues have been publicly disclosed (defined). This is sure to assist the system administrators of large organisations who currently in the process of deploying the existing updates or who may be testing systems on a phased basis to ensure performance is not compromised too much.

Further details are available from this link.

Update: 6th April 2018
Earlier this week, Intel issued a further progress update for the deployment of further microcode for their CPUs.

A further 5 families of CPUs have now completed testing and microcode updates are available. These families are:

    • Arrandale
    • Clarkdale
    • Lynnfield
    • Nehalem
    • Westmere

However a further 9 families will not receive such updates for the reasons listed below. Those families are:

      • Micro-architectural characteristics that preclude a practical implementation of features mitigating [Spectre] Variant 2 (CVE-2017-5715)
      • Limited Commercially Available System Software support
      • Based on customer inputs, most of these products are implemented as “closed systems” and therefore are expected to have a lower likelihood of exposure to these vulnerabilities.


      • Bloomfield
      • Clarksfield
      • Gulftown
      • Harpertown Xeon
      • Jasper Forest
      • Penryn
      • SoFIA 3GR
      • Wolfdale
      • Yorkfield

This announcement from Intel means my Intel Core i7 Extreme 980X (from 2010) won’t receive an update. This system isn’t used very much on the internet and so the impact is limited. I am hoping to replace this system in the near future too.


Please review the updated PDF made available by Intel (I can upload the PDF to this blog if Intel place it behind an account which requires sign in. At this time the PDF link still works).

As before; please monitor the websites for the manufacturer of your system for servers, desktops and laptops or the motherboard manufacturer for any custom built systems you may have to determine if these updates have been made available for your specific systems.

Thank you.

BranchScope Vulnerability Disclosed:
In a related story; four security researchers from different universities responsibly disclosed (defined) a new side channel attack affecting Intel CPUs. This attack has the potential to obtain sensitive information from vulnerable systems (a similar result from the existing Meltdown and Spectre vulnerabilities).

Further details of this attack named “BranchScope” are available in this Softpedia article and this paper from the researchers. Within the above article Intel responded to this attack stating that this vulnerability is similar to known side channel and existing software mitigations (defined) are effective against this vulnerability. Their precise wording is provided below.

Thank you.

An Intel spokesperson has provided the following statement:

“We have been working with these researchers and have determined the method they describe is similar to previously known side channel exploits. We anticipate that existing software mitigations for previously known side channel exploits, such as the use of side channel resistant cryptography, will be similarly effective against the method described in this paper. We believe close partnership with the research community is one of the best ways to protect customers and their data, and we are appreciative of the work from these researchers.”

Update: 13th April 2018
AMD have issued microcode (defined) updates for Windows 10 Version 1709 to enhance the protection of their customer’s against variant 2 (CVE-2017-5715) of the Spectre vulnerability. Further details of these updates are available within these KB articles: KB4093112 and KB3073119

Thank you.

Update: 18th May 2018
Please refer to the beginning of the May and April security update summaries for further updates related to addressing Spectre variant 2 (v2).


HP Adds Security Features To Enterprise Printer Firmware

Earlier this week HP announced that their range of enterprise class LaserJet printers would include security features to better secure them against external attacks.

The printer models that include these features are the following:

  • HP LaserJet Enterprise M506 series
  • HP LaserJet Enterprise MFP M527 series
  • HP Color LaserJet Enterprise MFP M577 series

In addition, printers manufactured since 2011 should be able to benefit from some of the new security enhancements via a HP FutureSmart service pack update.

The security improvements enable the printers to defend against having their BIOS (defined) updated with a maliciously tampered version. In addition, only known good firmware can be executed (allowed to run/function). Moreover the printers feature a runtime intrusion detection system that prevents malware from being loaded into the printer’s memory.

Such printers can also take advantage of HP JetAdvantage Security Manager software that allows the IT administrator to enforce a security policy to allow them to disable unused access protocols (reducing the possibility of external attack), closing networking ports and erasing documents stored within the printers memory/hard disk to maintain confidentiality. When a printer is rebooted, all of the settings specified within the security policy will be enforced returning the printer to a known good and compliant state.

More information on these new printer models is available here and here. A link to the firmware updates for older printer models is provided above.

These security enhancements should enhance an enterprise’s security posture by preventing confidential documents from leaving the organization via networked printers or from malware installed on the printer capturing documents sent for printing or stored in the printer’s hard disk or memory. According to HP they are currently the only printer manufacturer to offer these security features but other manufacturers will likely follow suit. These features will make a worthwhile addition to have if you are considering replacing/upgrading your enterprise printer in the future.

Thank you.

Lenovo Releases Security Update For Laptop and Desktop Systems

Earlier this month computer manufacturer Lenovo released a security update for a wide range of its laptop and desktop systems.

The security update affects the Lenovo Service Engine (LSE). This is a utility created by Lenovo that becomes part of the computers BIOS (see Aside below for a definition) that downloads an application known as OneKey Optimizer. This application downloads updates for the computer’s BIOS, drivers updates for hardware and installs applications that are usually pre-installed when the computer leaves the Lenovo factory. Finally the application also sends non-personally identifiable system data to Lenovo servers.

As explained by Lenovo in their security advisory (see links provided below) in collaboration with an independent security researcher and Microsoft security vulnerabilities were found in the LSE (which included a buffer overflow attack (see Aside 2 below for a definition) and an attempted connection to a Lenovo test server). The LSE used the Microsoft Windows Platform Binary Table (WPBT). Microsoft has since provided updated security guidelines for using this capability of Windows. Since the LSE no longer meets those guidelines, Lenovo has chosen to remove all components of the LSE from the affected Lenovo systems.

Why Should These Issues Be Considered Important?
According to the US-CERT, the flaws within the LSE could allow a remote attacker to take control of the Lenovo system.

How Can I Protect Myself From These Issues?
As recommended by Lenovo in their advisories for laptops and desktop systems (both advisories are different), please update the BIOS of the affected systems using the steps provided in those advisories. Once updated the LSE disabler tool can be used to remove the vulnerable LSE components.

Thank you.

What is a BIOS?

A Basic Input/Output System (BIOS) is the first piece of code that tells your computer what to do when it is first turned on. This involves 2 stages, the first stage involves a quick diagnostic of the computers components known as a power on self-test (POST).

The second stage involves brining your computer into a usable state by starting your operating system e.g. Linux, Mac OS X or Windows from the first bootable hard drive (or other drive) it locates.

The BIOS will also check for other bootable devices such as CDs/DVDs or USB jump drives. The goal being to find the next stage of the start-up process whether that be the much more common task of starting your operating system so that you can get to work or allowing you to repair the computer or recover your data using emergency bootable discs/USB jump drives. Further information on computer BIOSes and how they are migrating to the newer Unified Extensible Firmware Interface (UEFI) architecture is available here.

Aside 2:
What is a Buffer Overflow attack?

A buffer is an area of computer memory set aside for a specific task. If data larger than that area is (attempted) to be stored in that area, that buffer will overflow. When an overflow happens the data that can fit in the buffer is stored in that buffer while the data that doesn’t fit spills over into memory adjacent to that buffer. Whatever data is stored in those locations is overwritten.

Within the overfilled memory areas (which now contain unintended data (from the point of view of another programs assuming they still contain valid data)) may have previously been another buffer, a programs data output or a pointer (defined below) to another area of memory.

At best this will result in the program using that value (that was overwritten) crashing or getting caught in an infinite loop (performing the same action again and again without ending). At worst, an attack could use a buffer overflow to their advantage.

This can result in an attacker being able to run/execute code of their choice by overwriting the return pointer of the program (due to the overflow that has happened) with a value of the attackers choosing. That value is placed there by the overspill into adjacent memory segments. When an operation is completed, instead of the program returning (using the location the return pointer is referencing) to the place where it was originally asked (called from) the program will instead go to the place in memory where the attacker has stored malicious code (since the attacker supplied this location by inserting a value of their choice (which is too large to fit in the buffer) as mentioned above).

A pointer is a variable (a segment of memory that stores a single value) that contains the address (in computer memory) of another variable.

The attacker’s code can then run with same privileges of the program which suffered the overflow. C and C++ functions (a set of instructions that carries out a specific action within a program) such as strcpy (string copy) and strcat(string concatenation/appending function) are just some examples of functions that are vulnerable to buffer overflows.

Such unsafe functions were replaced with functions that carried out the same task but checked the size of the input against the size of the buffer it was to be stored in and don’t allow an overflow to occur. These safe functions are now recommended by Microsoft. To enforce the use of safe functions the Banned Function Calls header file was created (also documented here). Other mitigations such as /GS cookies (discussed in a previous blog post) were also implemented to protect against buffer overflows.

Please note that it is only Microsoft that uses the newer safer functions mentioned above. Linux takes a different approach as does Apple but each results in safer code.

Update: 7th September 2015:
While the use of “safe” versions of common functions that operate on buffers are the preferred method of working with buffers, they are not perfect since they can suffer from incorrect calculations of the width of the buffer to allocate. If a mistake is made here by the programmer, a buffer overflow can still result. An example of a protected version of such a function (of the strcpy() function mentioned above) can be seen in the function declaration shown below that takes the width of the desired buffer as parameter would be:

strncpy(destination, source, width);

The above function declaration shows the name of the “safe” function, namely strncpy (notice the difference to the standard function with the name of strcpy, the “safe” function includes an extra “n”). The 3 parameters to this function are shown within the parentheses () otherwise known as brackets.

Update: 17th September 2015:
A detailed definition of a stack overflow is provided in a more recent blog post. This similar type of overflow can be a useful addition to the above explanation. Thank you.

A further reference for buffer overflow attacks is the following:

Smashing The Stack For Fun And Profit by Aleph One