Microsoft blocks 'Black Hat' Vista hack

Windows update no longer allows driver hack demonstrated at Black Hat security confab. But fix may spell trouble.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
2 min read
Microsoft has changed Windows Vista to prevent a hack that was demonstrated at a high-profile security event this summer, but the fix may spell trouble.

Joanna Rutkowska, a Polish researcher at Singapore-based Coseinc, demonstrated the hack at Black Hat in August. She showed that it was possible to bypass security measures in 64-bit versions of Vista meant to prevent unsigned driver code from running. The bypass could allow the installation of malicious drivers--a serious threat, because they run at a low level in the operating system.

Rutkowska also tried out her exploit on Windows Vista Release Candidate 2, the final test version of the operating system released earlier this month. "It quickly turned out that our exploit doesn't work anymore," Rutkowska wrote on her blog late Thursday.

This is good news, but it might hold some problems. Microsoft appears to have thwarted the attack by blocking write-access to raw disk sectors for applications that run in user-mode, even if they are executed with elevated administrative rights, Rutkowska wrote. "Which is a bad idea," she wrote.

Microsoft's way of blocking the attack can cause compatibility trouble for programs such as disk editors and recovery tools, Rutkowska wrote. Such applications now will need their own, signed kernel-level driver to function, she wrote.

Moreover, Microsoft's way of blocking the attack is not a real solution to the problem, Rutkowska argued. An attacker could hijack a legitimate driver and still do evil, she said. "There is nothing which could stop an attacker from borrowing such a signed driver and using it to perform the?attack," she wrote.

The change that was made was the one that was most appropriate from a "time and impact to product, versus mitigation of the threat" aspect, said Stephen Toulouse, a program manager in Microsoft's Security Technology Unit. "As far as the application compatibility angle, we believe the change won't result in significant app compat issues. Remember, this is on 64-bit versions only," he said in an e-mail.

Toulouse also pointed out that in order for the attack to occur, the attacker must gain administrator rights on the machine. That means her attack would be foiled by Microsoft's user account control, a Vista feature that runs a PC with fewer user privileges. UAC is a key Microsoft effort to prevent malicious code from being able to do as much damage as on a PC running in administrator mode, a typical setting on Windows XP.

"It is very difficult to protect a computer from deliberate actions from its own administrator," Toulouse said. "However we felt that Joanna's technique was something we could implement a change to help prevent."

During her Black Hat presentation, attended by several Microsoft employees, Rutkowska suggest two alternative ways the software maker could fix the Vista problem. "But it seems that Microsoft actually decided to ignore those suggestions and implemented the easiest solution, ignoring the fact that it really doesn't solve the problem," she wrote.