Microsoft can add a new item to its checklist of security issues that must be ironed out before Windows Vista ships early next year. Under the right conditions, it's possible for a cyberattacker to inject arbitrary code into the Vista x64 kernel and stealthily take control of a user's system, according to one security researcher who demonstrated the process Thursday at the Black Hat conference in Las Vegas.
Joanna Rutkowska, a senior security researcher with Coseinc, presented a demo that showed how an attacker with systems administrator-level privileges could trick Windows Vista Beta 2 kernel, x64 edition, into disabling its signature-checking function and allow any unsigned device driver to be loaded onto a user's system. The danger is that the attacker can write malicious code into such a driver, which Vista would then execute.
Microsoft uses digital signatures for device drivers to let users know that the drivers are compatible with a given version of Windows. The company's goal with Vista x64 was to ensure that all kernel-mode drivers be signed, although Rutkowska showed how this mechanism could be deactivated. Rutkowska first presented her findings on July 21 at the SyScan conference in Singapore.
After the applause died down following her Black Hat demo, Rutkowska reviewed some ways to counter her attack method, ranging from forbidding raw disk access from user-mode applications to encrypting pagefile storage to disabling kernel memory paging. "That's what I'm doing in my home machine," Rutkowska said of the third option.
Although Rutkowska said Vista isn't "as secure as advertised," she added, "I think Microsoft did a good job; this doesn't mean Vista is insecure."