LAS VEGAS — Microsoft spent a whole day here at the Black Hat conference extolling the security enhancements in its upcoming Vista operating system.
Joanna Rutkowska, a security researcher with security firm Coseinc, spent a day picking it apart.
Then again, what else would you expect from a session at a hacker convention titled: “Subverting Vista Kernel For Fun And Profit”?
Rutkowska took the stage in front of a capacity audience and proceeded to explain how to get around Vista.
She demonstrated two potential attack vectors. One could allow unsigned code to be loaded into the Vista kernel. The second vector involved taking advantage of AMD’s Pacific Hardware Virtualization to inject a new form of super malware that Rutkowska claimed to be undetectable.
Rutkowska’s Vista kernel attack did not rely on any known bugs in Vista, which is still in beta testing. She stressed that her demonstration did not rely on any implementation bug nor any undocumented Windows Vista functionality.
She characterized her approaches as “legal,” using documented SDK (define) features.
One of the new features in Vista Beta 2 is that it requires all kernel mode drivers to be signed. The general idea is to prevent malware from being injected. Rutkowska’s effort suggested that Microsoft still has some work to do on this feature.
Rutkowska’s method for injecting unsigned (and therefore potentially malicious) drivers into the Vista kernel involved taking advantage of paged memory to bypass Vista security.
In her demo, the shellcode used disabled signature checking, thus allowing any unsigned driver to be subsequently loaded. Taking her attack a step further, she implemented a one-click tool, which she called “Kernelstike” to execute her Vista kernel exploit.
Call it fresh meat for sharks: The audience erupted into spontaneous applause, followed by whoops and woo-hoos throughout her demonstration.
“The fact that this mechanism was bypassed doesn’t mean Vista is insecure. It just means it’s just not as secure as advertised,” Rutkowska said.