Vista kernel fix 'worse than useless'
Print storyMS irks security researcher (part 411)
Posted in Operating Systems, 24th October 2006 15:57 GMT
Increase your knowledge of the latest threats to your busines
Microsoft has modified Windows Vista to prevent a high-profile exploit demonstrated at security conferences this summer but the fix creates as many problems as it solves, according to the security researcher who identified the original problem.
The bug, demonstrated by Joanna Rutkowska of security firm Coseinc, created a possible mechanism for hackers to bypass security protection built into 64-bit versions of Vista in order to inject potentially hostile code into the kernel of prototype versions of Windows. This so-called "pagefile attack" defeated a feature called Vista kernel protection.
Windows Vista Release Candidate 2 frustrates this attack by blocking write-access to raw disk sectors for user mode applications, even if they are executed with elevated administrative rights. Rutkowska writes that Microsoft's fix is fraught with difficulties because it prevents legitimate applications, such as disk editors and recovery tools, from functioning without their own signed kernel-level driver. Hackers might be able to hijack such legitimate drivers so all Microsoft has done has created extra work for developers in displacing - but not resolving - the problem.
During a presentation at the Black Hat conference in August, Rutkowska explained two other approaches Microsoft might take in defeating the page-file attack as well as highlighting the problems with simply blocking write-access to raw disk sectors for user mode applications. "Microsoft actually decided to ignore those suggestions and implemented the easiest solution, ignoring the fact that it really doesn’t solve the problem," she writes. ®
Increase your knowledge of the latest threats to your busines
The future of SaaS and IT infrastructure management
The mandate for application security
CIO strategies for the retention and deletion of email
The best practices guide for application security
Certify your software integrity with Thawte code signing certificates
Why Google Wave makes Tim Bray nervous
Microsoft kills Visual Studio's Oracle data connection
Opera Software reinvents complete irrelevance
Microsoft's Bing feeds you, tries to keep you captive