Microsoft has blocked the attack vector used to slip unsigned drivers past new security policies being implemented in Windows Vista, according to Joanna Rutkowska, the stealth malware researcher who created the exploit. Rutkowska, who demonstrated the exploit at the Black Hat conference in August, said she tested the attack against Windows Vista RC2 x64 and found that the exploit doesn’t work anymore. “The reason: Vista RC2 now blocks write-access to raw disk sectors for user mode applications, even if they are executed with elevated administrative rights,” Rutkowska wrote on her Invisible Things blog.
Aside from more memory, not many people have good reasons to switch to 64bit CPUs on the desktop…
Maybe this is one of the reasons? People switched to Firefox for better security, are we going to see people switching to 64bit for the same reason if they run Windows?
Side note:
This is not new to Vista, Win2003 Srv has this to on 64bit servers, and well as just about every *nix out there.
Driver signing doesn’t really gain you any extra security. All it means is that malware will need to install it’s own signing certificate before installing any kernel-mode modules.
The real reason for driver signing is that Microsoft hopes that hardware manufacturers will rather pay them then set up their own signing cerificate.
According to her web blog:
“Blue Pill, a piece of malware which abuses AMD Pacifica hardware virtualization..”
I think i’m going to use my good old AMD64 3000+ a bit longer,it doesn’t have pacifica fortunately.
Many motherboards allow you to turn off hardware virtualization in the BIOS, so you can upgrade and still not be vulnerable. It’s also worth noting that Blue Pill required accepting a UAC prompt for it to succeed. There have also been similar demos using Intel VT as well.
“Vista RC2 now blocks write-access to raw disk sectors for user mode applications, even if they are executed with elevated administrative rights”
Does that imply that you can no longer manage disks or edit the partition table when in Vista?
Or low-level copy a floppy or writing an image to a floppy disk?
I understand that under normal usage these tasks are not important, but then I don’t like to be restricted. Yes, it adds more security, but when logged on as admin I should be able to do such things.
Vista RC2 now blocks write-access to raw disk sectors for user mode applications
That would mean that kernel applications can still do so.
Patchguards keeps unsigned apps from modifying the kernel and the kernel is the only way to write to raw disk sectors.
Sounds good to me.
It seems like it would be a better idea to let the user decide whether or not the program should have access. No, I’m not talking about having another one of those stupid security dialogs (hint: they don’t work!), but rather, force the user to acknowledge what the program might do by linking it with what it could modify, in this case the hard drive. The best way I can think of doing this is to have the user drag and drop the hard drive onto the program to signify that it has priveleges to use it, with the added bonus that it tells the program which drive to use.
Incidentally, this works well for specifying priveleges in general and does an excellent job at containing damage, unless the user is stupid enough to, e.g. give the program permission to modify his home directory. Of course, stupid people will always find ways to hurt themselves, but at least the other people won’t shoot themselves in the feet as much.
this effectively kills homebrew development on Vista, it also locks out all those nice loopback audio drivers used for ripping audio out of programs. Same goes for videos.
this effectively kills homebrew development on Vista, it also locks out all those nice loopback audio drivers used for ripping audio out of programs. Same goes for videos.
Why? This is for write-access to raw disk sectors. Why would those programs want to write to raw disk sectors?
Why? This is for write-access to raw disk sectors. Why would those programs want to write to raw disk sectors?
I don’t know, but I know most devices use this method to update firmware, and camcorders control need this too.
So you won’t be able to control your camcorder using current software (can someone try it to confirm ?).
Author of the exploit outlined that Microsoft chose the easiest possible way to block the rootkit, but that one isn’t a real fix. It can still be achieved using raw disk access driver (e.g. by hacking a userspace component of a partitioning program).
Actually a blog worth reading !! OMG
Must say I found the blue pill stuff a lot more interesting than some little change in Vista to block unsigned drivers & misbehaving applications.
But thx for interesting Blog link