Vista DRM = rootkit?
A security researcher has released a program that shows how digital rights management processes in Windows Vista could be used to hide malicious software, rootkit-like behavior.
Alex Ionescu developed the program, called D-Pin Purr, to show that Vista features designed to protect media files can also be used to protect other kinds of files. This could also include malicious software.
"It is trivial to make a process protected or unprotected by bypassing all the code integrity checks and sandbox in which protected processes are supposed to run," Ionescu wrote. "I think it's time to signal a wake-up call to all the developers who were counting on simply ignoring protected processes and assuming they're legitimate media applications."
Ionescu posted his program to the Internet. It is currently being tested by security experts.
Fraser Howard, a principal virus researcher at security vendor Sophos, told CNET News.com sister site ZDNet UK that the program looks feasible. Howard had managed to get it running, but had not managed to successfully protect and unprotect processes on his machine.
"I have not confirmed it, but I have little doubt it will work as intended (to remove protection)," Howard told ZDNet UK. "This should mean it is perfectly possible to add protection to processes as well."
Microsoft in a statement late Thursday said it is also investigating Ionescu's findings. The company had no additional comments, other than stating that to change the protection status on Vista processes an attacker would need a high level of privilege on a Vista machine.
Vista, the successor to Windows XP, became broadly available in late January. Microsoft promotes the operating system as the most secure version of Windows it has delivered to date.
