Stealth attack undermines Vista defences

Root cause analysis


Researchers have demonstrated how to bypass security protections in order to inject potentially hostile code into the kernel of prototype versions of Windows.

The demonstration by Joanna Rutkowska, a senior security researcher with Coseinc, highlighted the possibility of loading arbitrary code into the latest Vista Beta 2 kernel (x64 edition), thereby circumventing Vista's policy of only allowing digitally-signed code to load into the kernel.

The attack, presented at the Black Hat conference in Las Vegas last week, can be performed "on the fly" (i.e. no reboot is necessary) but it does require admin privileges, unlike most malware attacks that are equally successful in conventional user mode.

Used successfully, the attack creates a means to install a rootkit (contained in an unsigned device driver) onto compromised hosts by disabling Vista's signature-checking function, Information Week reports. Disabling kernel memory paging could be implemented among a number of workarounds against the attack, she added.

Rutkowska also demonstrated her previously announced technology for creating stealth malware, Blue Pill, which uses the latest virtualisation technology from AMD - Pacifica - to inject potentially hostile code by stealth, under the radar of conventional security defences, onto a server.

Although Vista wasn't as secure as Microsoft would have us believe, Rutkowska commented that Microsoft had done a good job with the OS, adding that her attack didn't mean Vista was inherently insecure.

Microsoft director of Windows product management Austin Wilson was among the delegates who attended Rutkowska's well received presentation on Thursday, Information Week reports.

Wilson said correcting the security shortcomings highlighted by Rutkowska was on Microsoft's development road map for Vista. He added that the driver-signing function was only implemented by default on 64-bit versions of the OS.

Microsoft is going out of its way to reach out to the security community in its attempts to improve the security of Vista prior to its release, now expected early next year.

Microsoft director of security outreach Andrew Cushman began the week by encouraging ethical hackers to poke holes at the OS.

Later, Microsoft security group manager John Lambert explained the security development process behind Vista, claiming the OS had been through the biggest penetration testing effort ever mounted against an operating system. Redmond had recruited more than 20 security researchers to give Vista a "body-cavity search", he said. ®


Other stories you might like

  • Verizon: Ransomware sees biggest jump in five years
    We're only here for DBIRs

    The cybersecurity landscape continues to expand and evolve rapidly, fueled in large part by the cat-and-mouse game between miscreants trying to get into corporate IT environments and those hired by enterprises and security vendors to keep them out.

    Despite all that, Verizon's annual security breach report is again showing that there are constants in the field, including that ransomware continues to be a fast-growing threat and that the "human element" still plays a central role in most security breaches, whether it's through social engineering, bad decisions, or similar.

    According to the US carrier's 2022 Data Breach Investigations Report (DBIR) released this week [PDF], ransomware accounted for 25 percent of the observed security incidents that occurred between November 1, 2020, and October 31, 2021, and was present in 70 percent of all malware infections. Ransomware outbreaks increased 13 percent year-over-year, a larger increase than the previous five years combined.

    Continue reading
  • Slack-for-engineers Mattermost on open source and data sovereignty
    Control and access are becoming a hot button for orgs

    Interview "It's our data, it's our intellectual property. Being able to migrate it out those systems is near impossible... It was a real frustration for us."

    These were the words of communication and collaboration platform Mattermost's founder and CTO, Corey Hulen, speaking to The Register about open source, sovereignty and audio bridges.

    "Some of the history of Mattermost is exactly that problem," says Hulen of the issue of closed source software. "We were using proprietary tools – we were not a collaboration platform before, we were a games company before – [and] we were extremely frustrated because we couldn't get our intellectual property out of those systems..."

    Continue reading
  • UK government having hard time complying with its own IR35 tax rules
    This shouldn't come as much of a surprise if you've been reading the headlines at all

    Government departments are guilty of high levels of non-compliance with the UK's off-payroll tax regime, according to a report by MPs.

    Difficulties meeting the IR35 rules, which apply to many IT contractors, in central government reflect poor implementation by Her Majesty's Revenue & Customs (HMRC) and other government bodies, the Public Accounts Committee (PAC) said.

    "Central government is spending hundreds of millions of pounds to cover tax owed for individuals wrongly assessed as self-employed. Government departments and agencies owed, or expected to owe, HMRC £263 million in 2020–21 due to incorrect administration of the rules," the report said.

    Continue reading

Biting the hand that feeds IT © 1998–2022