August 4, 2006 1:34 PM PDT

Vista hacked at Black Hat

LAS VEGAS--While Microsoft talked up Windows Vista security at Black Hat, a researcher in another room demonstrated how to hack the operating system.

Joanna Rutkowska, a Polish researcher at Singapore-based Coseinc, showed that it is possible to bypass security measures in Vista that should prevent unsigned code from running.

And in a second part of her talk, Rutkowska explained how it is possible to use virtualization technology to make malicious code undetectable, in the same way a rootkit does. She code-named this malicious software Blue Pill.

"Microsoft is investigating solutions for the final release of Windows Vista to help protect against the attacks demonstrated," a representative for the software maker said. "In addition, we are working with our hardware partners to investigate ways to help prevent the virtualization attack used by the Blue Pill."

At Black Hat, Microsoft gave out copies of an early Vista release for attendees to test. The software maker is still soliciting feedback on the successor to Windows XP, which is slated to be broadly available in January.

Rutkowska's presentation filled a large ballroom at Caesars Palace to capacity, even though it was during the last time slot on the final day of the annual Black Hat security confab here. She used an early test version of Vista for her research work.

As one of the security measures in Vista, Microsoft is adding a mechanism to block unsigned driver software to run on the 64-bit version of the operating system. However, Rutkowska found a way to bypass the shield and get her code to run. Malicious drivers could pose a serious threat because they run at a low level in the operating system, security experts have said.

"The fact that this mechanism was bypassed does not mean that Vista is completely insecure. It's just not as secure as advertised," Rutkowska said. "It's very difficult to implement a 100 percent-efficient kernel protection."

To stage the attack, however, Vista needs to be running in administrator mode, Rutkowska acknowledged. That means her attack would be foiled by Microsoft's User Account Control, a Vista feature that runs a PC with fewer user privileges. UAC is a key Microsoft effort to prevent malicious code from being able to do as much damage as on a PC running in administrator mode, a typical setting on Windows XP.

"I just hit accept," Rutkowska replied to a question from the audience about how she bypassed UAC. Because of the many security pop-ups in Windows, many users will do the same without realizing what they are allowing, she said.

Microsoft has touted Vista as its most secure version of Windows yet. It is the first operating system client to go through the company's Security Development Lifecycle, a process to vet code and stamp out flaws before a product ships.

"Windows Vista has many layers of defense, including the firewall, running as a standard user, Internet Explorer Protected Mode, /NX support, and ASLR, which help prevent arbitrary code from running with administrative privileges," the Microsoft representative noted.

After the presentation on bypassing the driver shield, Rutkowska presented a way to create the stealthy malicious software she code-named Blue Pill. The technique uses Pacifica, a Secure Virtual Machine, from chipmaker Advanced Micro Devices, to go undetected.

Blue Pill could serve as a backdoor for attackers, Rutkowska said. While it was developed on Vista and AMD's technology, it should also work on other operating systems and hardware platforms. "Some people suggested that my work is sponsored by Intel, as I focused on AMD virtualization technology only," she said, adding that is untrue.

See more CNET content tagged:
Black Hat, virtualization, Microsoft Windows Vista, malicious code, malicious software

25 comments

Join the conversation!
Add your comment
Polish Hackers Rock
lol, especially female ones, lol.
Posted by rmiecznik (224 comments )
Reply Link Flag
You too can hack Vista
You too can hack Vista: "Just hit 'Accept'.
Posted by roger.d.miller (41 comments )
Reply Link Flag
Just Say No To "Accept" :-)
>"I just hit accept," Rutkowska replied to a question from the audience about how she bypassed UAC. Because of the many security pop-ups in Windows, many users will do the same without realizing what they are allowing, she said.<

I "dunno". It's pretty hard to make security idiot proof.
Posted by john55440 (1020 comments )
Reply Link Flag
agreed but..
i agree in theory, but the problem is on vista they pop up so many time if u try to do something remotly technical. you get fed up and press yes. its the reason i got rid of vista and put xp back on m machine.
Posted by pbxtreme87 (7 comments )
Link Flag
Wow! this hacker is the best!
She just by passed the UAC by pressing the accept button! By the way, you don't need a device driver to mess up the system while running in Admin mode (or as a root in UNIX) - a simple BAT script or shell script will do the trick :-)
Posted by pdude (65 comments )
Reply Link Flag
I dont think that was the point
Yes, you can run anything as an Administrator. But I think the point of the story was that Vista isn't supposed to let an Administrator run unsigned Drivers either that could have any amount of low level code. The "Accept" was for UAC, but from what I got in the story was the driver bypass was done without warning messages that had to be accepted.

I do agree that a lot of content on CNET seems to be pointless and misleading, especially in headlines. But people also like to get worked up on something that wasn't the point of the story.
Posted by xandersturn (12 comments )
Link Flag
Hacking as Administrator?
ARE YOU KIDDING ME? THIS IS NEWS? Shame on you CNET. I usually give you guys the benefit of the doubt for sensationalism, but this is simply poor journalism. If you're running as Administrator you own the system. Plain and simple. There are far easier ways to exploit the system once you're Admin than to go through all of this trouble. Sheesh. Now go sit in the penalty box and think about this.
Posted by CNETBoy2 (1 comment )
Reply Link Flag
Not that simple
Dude, we aren't talking about a Linux system here, in Windows you need Administrator to do some pretty trivial tasks.

During a *NIX installation you are asked to provide the root password and then you create another user with less privilidges, Windows isn't so clear cut and most people only have one account (with admin privlidges) I haven't personally tested Vista from top to bottom, so correct me if i'm wrong but from what I can remember, the user Administrator and an account with admin privilidges can both screw up the system just the same.
Posted by danny_f (14 comments )
Link Flag
The problem is backwards compatability.
The simple fact is, if you're running any legacy programs on
vista, you WILL be prompted REPEATEDLY to enter administrator
mode.

Simple fact is, for the entire life of windows, coders for windows
have made use of the fact that they have complete system
access, and even the most menial of programs or underlying
tasks REQUIRE this.

You will constantly be prompted to authorise programs to run in
admin mode, and all something like blue-pill needs to do is sit
around and wait for something else to request authorisation
(something as simple as even deleting a shortcut from the
desktop will sometimes ask for this) and throw it's request up at
the same time... trust me, once you've been asked for 4
authorisation requests simply to remove a firefox shortcut from
your desktop, you will authorise ANYTHING.

The simple fact is, as long as microsoft wish to provide a
"Backwards Compatible" OS, these types of attacks will remain
just as prevalent.

I think Apple did it right with OS X, re-write a new STABLE OS
from the ground up, forgeting all that went before. Then,
provide OS 9 Compatibility through dual booting, a compatibility
layer (Classic Mode) or even better, inside a virtual machine.
Until Microsoft ditches windows, you will never see a "secure and
stable" Microsoft OS.

Their next OS needs to be something truely new, not just a
facelift of something old and haggard. After all, all the face lift's
in the world don't change the fact you're old, broken and falling
apart.
Posted by bitesizepankakes (36 comments )
Link Flag
Not only Wndows Vista!!!
virtualization technology, can also be used to hack any OS that runs on top of the malitious code. LinuX is even a better candidate because of it's open source status.
Anyway atackers must have admin privileges or phisical access to the computer to gain access to the kernel so ...
I think that the real problem could be te new completely rewritten tcp/ip stack, that hasn't been tested enough.

Bye!!!
Posted by Gunner.tailhooker (5 comments )
Reply Link Flag
This is false
Linux, as being open source, its source code compiled checked thousands and probably millions of times daily. This would defeat any person's attempt to distribute malicious code within a Linux distribution.
Posted by pyroboy1080 (3 comments )
Link Flag
Vista
With vista it does this same thing, makes you set up an administrator, and then another user. Then it makes it a little more difficult for you to log in as the administrator. Usually requiring you to use the "run as" option to do anything technical.
Posted by DrtyDogg (3084 comments )
Reply Link Flag
Microsoft is never ready
well, its microsoft...They think building on previous server operating systems and improving them a bit makes them think it's the safest, tch!Microsoft is just too noob (gaming terms :D), they're afraid that Sony will release PS3 first and clobber their xbox360 on sales, deciding to released first, look what happened (system error, overheating etc). Vista's new GUI interface, especially the new sidebar, its a complete carbon copy of Apple's panel (forgot whats the name) they're ruining themselves, copying other companies, getting sued lawsuit by lawsuit and no improvement is being made and before its offical release of Vista, its being hacked already. Face it Microsoft...make new stuff, don't reuse old stuff and polish it
Posted by 1337rice (4 comments )
Reply Link Flag
Duh...
Everyone is copying everyone. MS copies this from Apple, Apple copies that from somebody else. If you look at software, that's the way it's always been. Lots of evolution and few revolutions. And in the revolutions, the winners always copied from somebody else (like when Apple copied the GUI and the mouse from Xerox PARC).
And last time I saw (exactly two weeks ago) MS was making more money than all its competitors together, and even growing more them, including lawsuits and all. So they must be doing something right.
Posted by Hernys (744 comments )
Link Flag
Somwhat true but...
What you have stated is partly true. Windows as a server platform has never been a great idea and is the nnumber one reason that the US corporate IT infrastructure is so vulnerable. Microsoft should have built an entirely different server platform totally different from it's desktop. Of course that means they couldn't leverage their desktop Monopoly.
However you have to give the devil his due on the XBOX 360. The vast majority of the overheating problems were caused by the customers themselves by putting the systems on carpeted floors or cramming them into crowded home entertainment centers with poor ventilation. The same problems will hit the PS3 when it ships. Microsoft didn't rush the 360. They were working on that system since the release of the original XBOX. From what I have read and seen they have put together a pretty good eccosystem for game development, custmomer value ,and revenue generation. Sony meanwhile seems to be focussing on pushing unproven technology and charging a premium to the developer as well as the customer. The BluRAY Gamble is 50/50 a shot at best and could hadicapp the PS3 for it's entire life cycle. The Cell chips are also expensive to produce and currently have below average yeilds. Neither the Cell or Bluray will give PS3 a major performance edge over the 360.
Sony's DOMINANCE IN VIDEO GAMES could disappear just like its Dominance in the Portable Music market which is now owned by Apple.
Posted by Captain-Atari (80 comments )
Link Flag
Surprised that there was only one hack
Now that black hat conf is over, I am surprised that there was demo of only one attack on vista.

I hope that the researchers showed more attacks to vista team without demoing them at the conference.
Posted by Tanjore (322 comments )
Reply Link Flag
I am sick of idiotic statements...
from those who argue that Windows XP/Vista (and hence all "Microsoft software") are inherently more insecure than other OS's and software. (mind you I'm not arguing that MS is any better - just not worse.)

Subscribe to SANS at <a class="jive-link-external" href="http://www.sans.org" target="_newWindow">http://www.sans.org</a> to get the real story (I am not in any way affilated with them). ALL OS's have some level of insecurity and require patches! I include some of the latest SANS bulletin as proof. This is fairly typical of each weeks offering. The really big news is how badly PHP fares every week! It is just riddled full of problems, it is so easy to write insecure PHP code it seems - it's not even funny. OSX doesn't look perfect either :-).

Guess what? Most of the attacks now target the web - in all flavours of underlying systems - I wonder why that might be? Hmmmm....

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Lots of late-breaking announcements ahead of tomorrow's big Microsoft
vulnerability release. Most notable are multiple critical Apple Mac
vulnerabilities, independent of the wireless discussion that affects
nearly every wireless card, albeit in different ways. And a security
product, CA eTrust AV has a critical vulnerability. These need to be
fixed today if they haven't already been patched. Note also that nearly
120 new vulnerabilities were discovered this week - that's a 6,000
vulnerabilities per year rate of discovery. Well over half are in web
applications.

Next week is the deadline for the big early registration discount for
SANS Network Security program in Las Vegas (October 1-8). This national
conference offers far more than the world's best hands-on, immersion
training in all aspects of security (20 tracks). It also boasts a big
exhibition of the most important products in computer security, numerous
evening sessions on the latest advances in technology and policy, Stay
Sharp sessions on new hacker techniques and a dozen other topics, and
much more.
Alan



***********************************************************************
@RISK: The Consensus Security Vulnerability Alert
August 7, 2006 Vol. 5. Week 31
***********************************************************************

@RISK is the SANS community's consensus bulletin summarizing the most
important vulnerabilities and exploits identified during the past week
and providing guidance on appropriate actions to protect your systems
(PART I). It also includes a comprehensive list of all new
vulnerabilities discovered in the past week (PART II).

Summary of Updates and Vulnerabilities in this Consensus
- ---------------------------------------------------------------------
Platform Number of Updates and Vulnerabilities
- ---------------------------------------------------------------------
Windows 4
Microsoft Office 1
Other Microsoft Products 2
Third Party Windows Apps 7 (#2, #7)
Mac Os 2 (#1)
Linux 3
Solaris 2
Unix 6
Novell 1
Cross Platform 18 (#3, #4, #6)
Web Application - Cross Site Scripting 12
Web Application - SQL Injection 10
Web Application 48 (#5, #8, #9, #10)
Hardware 2
- --------------------------------------------------------------------

Table of Contents

Part I - Critical Vulnerabilities from TippingPoint
(www.tippingpoint.com)

Widely Deployed Software
(1) CRITICAL: Apple Mac OS X Security Update 2006-004
(2) CRITICAL: Computer Associates eTrust AntiVirus Web Scan Multiple
Vulnerabilities
(3) HIGH: Multiple Vendor WiFi Card Driver Vulnerabilities
(4) MODERATE: Mozilla Firefox Remote Code Execution
(5) MODERATE: PHP Functions Multiple Vulnerabilities
(6) MODERATE: LibTIFF Library Multiple Vulnerabilities
(7) MODERATE: McAfee SecurityCenter Unspecified Remote Code Execution

Other Software
(8) CRITICAL: TWiki Arbitrary Remote Command Execution
(9) HIGH: Jetbox Multiple Vulnerabilities
(10) HIGH: Multiple Products PHP File Inclusion Vulnerabilities
Posted by jasred (21 comments )
Reply Link Flag
Thank you for stating it!!
After all -- barring any gross negligence from the part of the programmer and tester team -- the main reason windows gets so much press about having security flaws is that there is a lot of interest for hackers to mess with Microsoft.
Along the same line of thinking, the reason why its such a visible issue is because 95% of the worlds desktops use Windows as the OS. So yeah!! Microsoft has security issues, and can be hacked but then it's the favorite OS of most people, and it has to deal with hundreds of thousands of possible user configurations and yet it still is a very versatile environment to work in and there are still more people who design FOR windows than AGAINST windows.

And to whomever said that in the beginning OS/2 was a better OS than windows. Well I happened to be there and use both and windows 286 was much more nimble than OS/2 1.1 and Windows 3.0 introduced the world to the joy of Graphical Interfaces (not the Mac, not Linux - the only one who could have done some damamge if they had had the proper funding was GeoWorks 1.0).
Posted by fbure (19 comments )
Link Flag
This isn't news....
If Microsoft makes it... it CAN be hacked.

Walt
Posted by wbenton (522 comments )
Reply Link Flag
VISTA is malware
Vista is just a platform for malware to attach to.
In fact all MS products are. But, that is cool as I make lots of money repairing M$ computers. So keep up the good work Billy. I need your defective products for my income.
Posted by purelabor (8 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.