Microsoft has modified Windows Vista to prevent a high-profile exploit demonstrated at security conferences this summer but the fix creates as many problems as it solves, according to the security researcher who identified the original problem.

The bug, demonstrated by Joanna Rutkowska of security firm Coseinc, created a possible mechanism for hackers to bypass security protection built into 64-bit versions of Vista in order to inject potentially hostile code into the kernel of prototype versions of Windows. This so-called "pagefile attack" defeated a feature called Vista kernel protection.

Windows Vista Release Candidate 2 frustrates this attack by blocking write-access to raw disk sectors for user mode applications, even if they are executed with elevated administrative rights. Rutkowska writes (http://theinvisiblethings.blogspot.com/2006/10/vista-rc2-vs-pagefile-attack-and-some.html) that Microsoft's fix is fraught with difficulties because it prevents legitimate applications, such as disk editors and recovery tools, from functioning without their own signed kernel-level driver. Hackers might be able to hijack such legitimate drivers so all Microsoft has done has created extra work for developers in displacing - but not resolving - the problem.

During a presentation at the Black Hat conference in August, Rutkowska explained two other approaches Microsoft might take in defeating the page-file attack as well as highlighting the problems with simply blocking write-access to raw disk sectors for user mode applications. "Microsoft actually decided to ignore those suggestions and implemented the easiest solution, ignoring the fact that it really doesn’t solve the problem," she writes (http://theinvisiblethings.blogspot.com/2006/10/vista-rc2-vs-pagefile-attack-and-some.html). ®

Related stories

Build malware protection into operating systems (17 September 2007)
http://www.theregister.co.uk/2007/09/17/gartner_rutkowska/
Vista's Long Goodbye strikes again (29 August 2007)
http://www.theregister.co.uk/2007/08/29/vista_networking_degradation/
ATI driver flaw exposes Vista kernel (10 August 2007)
http://www.theregister.co.uk/2007/08/10/ati_driver_snafu/
Microsoft re-assures partners on Vista compatibility (11 July 2007)
http://www.theregister.co.uk/2007/07/11/vista_compatibility_drivers/
Showdown persists over '100% undetectable' rootkit (6 July 2007)
http://www.theregister.co.uk/2007/07/06/blue_pill_showdown/
Researchers unpick Vista kernel protection (4 April 2007)
http://www.theregister.co.uk/2007/04/04/vbootkit/
Vista's long goodbye (26 March 2007)
http://www.theregister.co.uk/2007/03/26/vista_copying_bug/
Vista security overhaul questioned (19 February 2007)
http://www.theregister.co.uk/2007/02/19/vista_uac/
MS sees out year with another Vista attack (28 December 2006)
http://www.theregister.co.uk/2006/12/28/ms_investigates_vista_attack/
Windows Trojan masquerades as Vista hack (6 December 2006)
http://www.theregister.co.uk/2006/12/06/windows_vista_trojan/
Christmas shopping: Vista over XP? (6 December 2006)
http://www.theregister.co.uk/2006/12/06/vista_or_xp/
January 30: Window Vista's date with destiny (8 November 2006)
http://www.theregister.co.uk/2006/11/08/windows_vista_allchin/
Phishers prey on Lik-Sang customers (30 October 2006)
http://www.reghardware.co.uk/2006/10/30/phishers_prey_on_lik-sang_buyers/
Security firm punctures Vista's Patchguard (27 October 2006)
http://www.theregister.co.uk/2006/10/27/patchguard_row_analysis/
Vista vouchers, a Reg round-up (27 October 2006)
http://www.theregister.co.uk/2006/10/27/vista_voucher_roundup/
Bug causes another delay to Vista (27 October 2006)
http://www.theregister.co.uk/2006/10/27/vista_delayed/
Acer: Vista Home Basic is a lemon (27 October 2006)
http://www.theregister.co.uk/2006/10/27/acer_slams_vista_home_basic/
Vista vouchers for Christmas PC buyers (25 October 2006)
http://www.theregister.co.uk/2006/10/25/vista_vouchers/
Microsoft in 64-bit Vista lockdown (24 October 2006)
http://www.theregister.co.uk/2006/10/24/microsoft_at_rsa/
McAfee hoping MS will live up to 'hollow' promises (20 October 2006)
http://www.theregister.co.uk/2006/10/20/ms_mcafee_rumble/
Microsoft promises more info for security firms (19 October 2006)
http://www.theregister.co.uk/2006/10/19/microsoft_promises_more_info/
Microsoft agrees to release Vista interop info (16 October 2006)
http://www.theregister.co.uk/2006/10/16/ms_vista_security/
Microsoft Vista final beta released (9 October 2006)
http://www.theregister.co.uk/2006/10/09/vista_final_beta/
Stealth attack undermines Vista defences (7 August 2006)
http://www.theregister.co.uk/2006/08/07/vista_black_hat_attack/