October 20, 2006 5:29 PM PDT

Microsoft blocks 'Black Hat' Vista hack

Microsoft has changed Windows Vista to prevent a hack that was demonstrated at a high-profile security event this summer, but the fix may spell trouble.

Joanna Rutkowska, a Polish researcher at Singapore-based Coseinc, demonstrated the hack at Black Hat in August. She showed that it was possible to bypass security measures in 64-bit versions of Vista meant to prevent unsigned driver code from running. The bypass could allow the installation of malicious drivers--a serious threat, because they run at a low level in the operating system.

Rutkowska also tried out her exploit on Windows Vista Release Candidate 2, the final test version of the operating system released earlier this month. "It quickly turned out that our exploit doesn't work anymore," Rutkowska wrote on her blog late Thursday.

This is good news, but it might hold some problems. Microsoft appears to have thwarted the attack by blocking write-access to raw disk sectors for applications that run in user-mode, even if they are executed with elevated administrative rights, Rutkowska wrote. "Which is a bad idea," she wrote.

Microsoft's way of blocking the attack can cause compatibility trouble for programs such as disk editors and recovery tools, Rutkowska wrote. Such applications now will need their own, signed kernel-level driver to function, she wrote.

Moreover, Microsoft's way of blocking the attack is not a real solution to the problem, Rutkowska argued. An attacker could hijack a legitimate driver and still do evil, she said. "There is nothing which could stop an attacker from borrowing such a signed driver and using it to perform the?attack," she wrote.

The change that was made was the one that was most appropriate from a "time and impact to product, versus mitigation of the threat" aspect, said Stephen Toulouse, a program manager in Microsoft's Security Technology Unit. "As far as the application compatibility angle, we believe the change won't result in significant app compat issues. Remember, this is on 64-bit versions only," he said in an e-mail.

Toulouse also pointed out that in order for the attack to occur, the attacker must gain administrator rights on the machine. That means her attack would be foiled by Microsoft's user account control, a Vista feature that runs a PC with fewer user privileges. UAC is a key Microsoft effort to prevent malicious code from being able to do as much damage as on a PC running in administrator mode, a typical setting on Windows XP.

"It is very difficult to protect a computer from deliberate actions from its own administrator," Toulouse said. "However we felt that Joanna's technique was something we could implement a change to help prevent."

During her Black Hat presentation, attended by several Microsoft employees, Rutkowska suggest two alternative ways the software maker could fix the Vista problem. "But it seems that Microsoft actually decided to ignore those suggestions and implemented the easiest solution, ignoring the fact that it really doesn't solve the problem," she wrote.

See more CNET content tagged:
Black Hat, Stephen Toulouse, attacker, attack, Microsoft Windows Vista

15 comments

Join the conversation!
Add your comment
A typical Microsoft Move...
...is to take the easiest way out in lie of any security. Why do you
think after they fix one security issue 5 more follow?

Justin
Posted by OneWithTech (196 comments )
Reply Link Flag
Credible Black Hat?
Seems like the author give carte blanche crediblilty to the "researher". c/net has an obvious penchant to "report" almost anything negative concerning MSFT to the point they have lost most of their crediblity, for me.
Posted by tbsteph (62 comments )
Reply Link Flag
Biased opinion?
Why question the credibility of the researcher? It's not like they kept the security hole to themselves. No she gave the info freely at a conference which MSFT attended and they ignored it. It's not her fault and maybe you shouldn't bash her just because she attends a black hat convention.
Posted by geoffbhwg (1 comment )
Link Flag
Yes.
Her name has been attached to some pretty good research, IIRC including the "Blue Pill"/"Red Pill" issues with hypervisors.
Posted by Penguinisto (5042 comments )
Link Flag
Gee, I'm shocked!
A band-aid kludge on one of their OS's?

Say it isn't so!
Posted by gernblan (71 comments )
Reply Link Flag
End-User Education
"Toulouse also pointed out that in order for the attack to occur, the attacker must gain administrator rights on the machine. That means her attack would be foiled by Microsoft's user account control, a Vista feature that runs a PC with fewer user privileges."

Toulouse mentioned that the flaw she discovered only works if the user is log in as an admistrator, and to my knowledge by default users will not be administrators. So it would appear that issue is not security related, its more related to user education. Plus I believe that users are not going to administrators by default in Vista, which I think is commonplace for OSX and Linux. It would seem that MS is trying to do the right thing. They should get a pat on the back for trying, since we all know there is no security software to stop a users from doing something they should not be doing.
Posted by VI Joker (231 comments )
Link Flag
Fighting the wrong problem
Code which runs in kernel should generally be trusted, because it runs with almighty privileges. Users tunning with administrator or root privileges are entitled by definition to control what's loaded.

The original sin of Windows XP and Vista is not lousy security.

The security mechanisms (discretionary access lists - DACL) work, assuming that the user is only given privileges that match his qualifications and possible attack surface. Suppose, there is a flaw in the user's app, for example ICQ or AIM, or Real Player, or Flash, that allows arbitrary code execution. If it is exploited, malicious code is executed and tries to install itself permanently. If an user has proper (limited) privileges, the code cannot install itself, don't even think of installing a privileged component (driver or service).

The same holds for Linux. If some Firefox flaw is exploited and malicious JavaScript runs, it cannot install itself permanently with elevated privileges. Only if the user runs with root privileges (as in Lindows AKA Linspire), the exploit is possible.

Of course there are user mode privilege escalation vulnerabilities, but there's been very few such in Windows. A few are known in Linux, too (see BugTraq).

The biggest mistake of Microsoft was giving new users administrative privileges. This was done because many games and crappy applications (such as ICQ) didn't obey published Windows development guidelines and required write access to privileged directories and registry keys. To avoid people screaming, the new users are all administrators. Then it's no wonder that when 10 or 70 years old clicks Yes when asked if he want this wonderful set of smilies, and the crapware is on the computer. THIS IS THE REAL PROBLEM.
Posted by alegr (1590 comments )
Reply Link Flag
Another half-assed security "fix"
When is MS going to use real security practices?
Posted by qwerty75 (1164 comments )
Reply Link Flag
When
... windows becomes a real OS
Posted by R Me (196 comments )
Link Flag
Another full-ignoranced "comment"
When it releases Windows Vista.
And when are you Microsoft-bashers going to stop to ridiculously give credit and believe in anyone that has something bad to say about Microsoft or Microsoft software? (hint: never)
Posted by Ryo Hazuki (378 comments )
Link Flag
Panic mode
Microsoft was touting vista as their most secure version yet, then someone at blackhat finds a exploit that's not easy to fix and then Microsoft said, "Look, we blocked it, HA HA, We're Smart, You're Dumb!"

It's very childish, especially since the same person that found the exploit also told them of at least two ways to fix it properly and Microsoft turned them down.
Posted by thedreaming (573 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.