 |  |  |  |  |  |  |  |
Vista remains insecure, argues Bill Pill creator
At first glance it should be good news, after all it would appear that Microsoft has plugged a hole that left the claims of Vista being highly secure shot to pieces. Nonetheless, the security researcher who demonstrated the original Blue Pill exploit at both SyScan 06 in Singapore and the Black Hat briefings in Las Vegas earlier in the year, Joanna Rutkowska, has hit back with a warning that the methodology used by Microsoft to block her pagefile exploit is itself fundamentally flawed and insecure.
As originally posted here Rutkowska used AMD's SVM/Pacifica virtualization technology to create a Blue Pill rootkit that not only takes complete control of the underlying operating system but also remains 100% undetectable while doing so on the Vista x64 platform. However, Rutkowska also demonstrated a pagefile attack methodology at those security conferences, which allowed unsigned code to be loaded into the kernel and bypass not Patch Guard, but Vista kernel protection that is an altogether different thing.
But not anymore, according to Rutkowska herself Vista 64 RC2 “now blocks write-access to raw disk sectors for user mode applications, even if they are executed with elevated administrative rights."
Rutkowska is not happy however, because she thinks that Microsoft has chosen the least secure route to secure the OS. In her blog she mentions three options that would have been available to Microsoft, namely:
By choosing option 1, Rutkowska argues, Microsoft “implemented the easiest solution, ignoring the fact that it really doesn’t solve the problem…”
This is because the bad guys will simply borrow a legitimate, signed kernel driver, developed for something like a disk editor for example. If that legit driver is not bugged, and there is no reason for revoking the signature, then the bad guys could use it to perform their own pagefile attack. Indeed, Rutkowska makes it clear that “we could develop a disk editor together with a raw-disk-access kernel driver, then sign it and post it” but because her company are the good guys “I guess somebody else will have to do that instead.”
And let’s not forget that the Blue Pill problem still exists...
As originally posted here Rutkowska used AMD's SVM/Pacifica virtualization technology to create a Blue Pill rootkit that not only takes complete control of the underlying operating system but also remains 100% undetectable while doing so on the Vista x64 platform. However, Rutkowska also demonstrated a pagefile attack methodology at those security conferences, which allowed unsigned code to be loaded into the kernel and bypass not Patch Guard, but Vista kernel protection that is an altogether different thing.
But not anymore, according to Rutkowska herself Vista 64 RC2 “now blocks write-access to raw disk sectors for user mode applications, even if they are executed with elevated administrative rights."
Rutkowska is not happy however, because she thinks that Microsoft has chosen the least secure route to secure the OS. In her blog she mentions three options that would have been available to Microsoft, namely:
- Block raw disk access from usermode.
- Encrypt pagefile or use hashing to ensure the integrity of paged out pages.
- Disable kernel mode paging and possibly up to 80Mb of memory.
By choosing option 1, Rutkowska argues, Microsoft “implemented the easiest solution, ignoring the fact that it really doesn’t solve the problem…”
This is because the bad guys will simply borrow a legitimate, signed kernel driver, developed for something like a disk editor for example. If that legit driver is not bugged, and there is no reason for revoking the signature, then the bad guys could use it to perform their own pagefile attack. Indeed, Rutkowska makes it clear that “we could develop a disk editor together with a raw-disk-access kernel driver, then sign it and post it” but because her company are the good guys “I guess somebody else will have to do that instead.”
And let’s not forget that the Blue Pill problem still exists...
Similar Threads
- virus remains (Viruses, Spyware and other Nasties)
- BD remains open after SELECT (MS Access and FileMaker Pro)
- Insecure string pickle (Python)
- why is this language so insecure? (PHP)
- virus (desktophijackb) gone, desktop still remains? (Viruses, Spyware and other Nasties)
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest Windows Vista and Windows 7 Posts
advertising age amd android apple avatar ballmer bluegene botnet browser business china chips console crime data database desktop development dos economy email encryption energy enterprise facebook firefox games gaming google government hacking hardware ibm ibm.news intel intelibm internet iphone ipod itunes law linux mac malware marketing medicine memory microsoft mobile mozilla music news nintendo novell office openoffice opensource operatingsystem operatingsystems os pc porn privacy ps3 recession redhat research russia search security sex socialnetworking software spam sun supercomputer supercomputing survey technology trends trojan twitter ubuntu uk unix video virtualization virus vista web wii windows windows7 working x86 xbox xp yahoo youtube
