Feeds

Stealth attack undermines Vista defences

Root cause analysis

Internet Security Threat Report 2014

Researchers have demonstrated how to bypass security protections in order to inject potentially hostile code into the kernel of prototype versions of Windows.

The demonstration by Joanna Rutkowska, a senior security researcher with Coseinc, highlighted the possibility of loading arbitrary code into the latest Vista Beta 2 kernel (x64 edition), thereby circumventing Vista's policy of only allowing digitally-signed code to load into the kernel.

The attack, presented at the Black Hat conference in Las Vegas last week, can be performed "on the fly" (i.e. no reboot is necessary) but it does require admin privileges, unlike most malware attacks that are equally successful in conventional user mode.

Used successfully, the attack creates a means to install a rootkit (contained in an unsigned device driver) onto compromised hosts by disabling Vista's signature-checking function, Information Week reports. Disabling kernel memory paging could be implemented among a number of workarounds against the attack, she added.

Rutkowska also demonstrated her previously announced technology for creating stealth malware, Blue Pill, which uses the latest virtualisation technology from AMD - Pacifica - to inject potentially hostile code by stealth, under the radar of conventional security defences, onto a server.

Although Vista wasn't as secure as Microsoft would have us believe, Rutkowska commented that Microsoft had done a good job with the OS, adding that her attack didn't mean Vista was inherently insecure.

Microsoft director of Windows product management Austin Wilson was among the delegates who attended Rutkowska's well received presentation on Thursday, Information Week reports.

Wilson said correcting the security shortcomings highlighted by Rutkowska was on Microsoft's development road map for Vista. He added that the driver-signing function was only implemented by default on 64-bit versions of the OS.

Microsoft is going out of its way to reach out to the security community in its attempts to improve the security of Vista prior to its release, now expected early next year.

Microsoft director of security outreach Andrew Cushman began the week by encouraging ethical hackers to poke holes at the OS.

Later, Microsoft security group manager John Lambert explained the security development process behind Vista, claiming the OS had been through the biggest penetration testing effort ever mounted against an operating system. Redmond had recruited more than 20 security researchers to give Vista a "body-cavity search", he said. ®

Providing a secure and efficient Helpdesk

More from The Register

next story
Preview redux: Microsoft ships new Windows 10 build with 7,000 changes
Latest bleeding-edge bits borrow Action Center from Windows Phone
Google opens Inbox – email for people too thick to handle email
Print this article out and give it to someone tech-y if you get stuck
Microsoft promises Windows 10 will mean two-factor auth for all
Sneak peek at security features Redmond's baking into new OS
UNIX greybeards threaten Debian fork over systemd plan
'Veteran Unix Admins' fear desktop emphasis is betraying open source
Google+ goes TITSUP. But WHO knew? How long? Anyone ... Hello ...
Wobbly Gmail, Contacts, Calendar on the other hand ...
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
Redmond top man Satya Nadella: 'Microsoft LOVES Linux'
Open-source 'love' fairly runneth over at cloud event
prev story

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.