Linked by Thom Holwerda on Fri 20th Oct 2006 14:35 UTC
Windows Microsoft has blocked the attack vector used to slip unsigned drivers past new security policies being implemented in Windows Vista, according to Joanna Rutkowska, the stealth malware researcher who created the exploit. Rutkowska, who demonstrated the exploit at the Black Hat conference in August, said she tested the attack against Windows Vista RC2 x64 and found that the exploit doesn't work anymore. "The reason: Vista RC2 now blocks write-access to raw disk sectors for user mode applications, even if they are executed with elevated administrative rights," Rutkowska wrote on her Invisible Things blog.
Order by: Score:
The reason for 64bit
by tophfisher on Fri 20th Oct 2006 15:41 UTC
tophfisher
Member since:
2006-04-07

Aside from more memory, not many people have good reasons to switch to 64bit CPUs on the desktop...

Maybe this is one of the reasons? People switched to Firefox for better security, are we going to see people switching to 64bit for the same reason if they run Windows?

Side note:
This is not new to Vista, Win2003 Srv has this to on 64bit servers, and well as just about every *nix out there.

Reply Score: 1

RE: The reason for 64bit
by mallard on Fri 20th Oct 2006 16:48 UTC in reply to "The reason for 64bit"
mallard Member since:
2006-01-06

Driver signing doesn't really gain you any extra security. All it means is that malware will need to install it's own signing certificate before installing any kernel-mode modules.
The real reason for driver signing is that Microsoft hopes that hardware manufacturers will rather pay them then set up their own signing cerificate.

Reply Score: 5

RE: The reason for 64bit
by netpython on Sat 21st Oct 2006 07:44 UTC in reply to "The reason for 64bit"
netpython Member since:
2005-07-06

According to her web blog:

"Blue Pill, a piece of malware which abuses AMD Pacifica hardware virtualization.."

I think i'm going to use my good old AMD64 3000+ a bit longer,it doesn't have pacifica fortunately.

Reply Score: 1

RE[2]: The reason for 64bit
by n4cer on Sat 21st Oct 2006 08:20 UTC in reply to "RE: The reason for 64bit"
n4cer Member since:
2005-07-06

Many motherboards allow you to turn off hardware virtualization in the BIOS, so you can upgrade and still not be vulnerable. It's also worth noting that Blue Pill required accepting a UAC prompt for it to succeed. There have also been similar demos using Intel VT as well.

Reply Score: 1

disk mgmt?
by evert on Fri 20th Oct 2006 17:11 UTC
evert
Member since:
2005-07-06

"Vista RC2 now blocks write-access to raw disk sectors for user mode applications, even if they are executed with elevated administrative rights"

Does that imply that you can no longer manage disks or edit the partition table when in Vista?

Or low-level copy a floppy or writing an image to a floppy disk?

I understand that under normal usage these tasks are not important, but then I don't like to be restricted. Yes, it adds more security, but when logged on as admin I should be able to do such things.

Reply Score: 3

RE: disk mgmt?
by NotParker on Fri 20th Oct 2006 21:59 UTC in reply to "disk mgmt?"
NotParker Member since:
2006-06-01

Vista RC2 now blocks write-access to raw disk sectors for user mode applications

That would mean that kernel applications can still do so.

Patchguards keeps unsigned apps from modifying the kernel and the kernel is the only way to write to raw disk sectors.

Sounds good to me.

Reply Score: 2

it seems...
by bytecoder on Fri 20th Oct 2006 21:10 UTC
bytecoder
Member since:
2005-11-27

It seems like it would be a better idea to let the user decide whether or not the program should have access. No, I'm not talking about having another one of those stupid security dialogs (hint: they don't work!), but rather, force the user to acknowledge what the program might do by linking it with what it could modify, in this case the hard drive. The best way I can think of doing this is to have the user drag and drop the hard drive onto the program to signify that it has priveleges to use it, with the added bonus that it tells the program which drive to use.

Incidentally, this works well for specifying priveleges in general and does an excellent job at containing damage, unless the user is stupid enough to, e.g. give the program permission to modify his home directory. Of course, stupid people will always find ways to hurt themselves, but at least the other people won't shoot themselves in the feet as much.

Reply Score: 1

By by homebrew dev
by Darkmage on Fri 20th Oct 2006 23:54 UTC
Darkmage
Member since:
2006-10-20

this effectively kills homebrew development on Vista, it also locks out all those nice loopback audio drivers used for ripping audio out of programs. Same goes for videos.

Reply Score: 0

RE: By by homebrew dev
by NotParker on Sat 21st Oct 2006 00:54 UTC in reply to "By by homebrew dev"
NotParker Member since:
2006-06-01

this effectively kills homebrew development on Vista, it also locks out all those nice loopback audio drivers used for ripping audio out of programs. Same goes for videos.

Why? This is for write-access to raw disk sectors. Why would those programs want to write to raw disk sectors?

Reply Score: 1

RE[2]: By by homebrew dev
by Ookaze on Mon 23rd Oct 2006 09:53 UTC in reply to "RE: By by homebrew dev"
Ookaze Member since:
2005-11-14

Why? This is for write-access to raw disk sectors. Why would those programs want to write to raw disk sectors?

I don't know, but I know most devices use this method to update firmware, and camcorders control need this too.
So you won't be able to control your camcorder using current software (can someone try it to confirm ?).

Reply Score: 1

Rootkit still possible
by siki_miki on Sat 21st Oct 2006 09:29 UTC
siki_miki
Member since:
2006-01-17

Author of the exploit outlined that Microsoft chose the easiest possible way to block the rootkit, but that one isn't a real fix. It can still be achieved using raw disk access driver (e.g. by hacking a userspace component of a partitioning program).

Reply Score: 1

Exploits ...
by poohgee on Sun 22nd Oct 2006 18:06 UTC
poohgee
Member since:
2005-08-13

Actually a blog worth reading !! OMG ;)

Must say I found the blue pill stuff a lot more interesting than some little change in Vista to block unsigned drivers & misbehaving applications.

But thx for interesting Blog link ;)

Reply Score: 1