Joris Evers
While Microsoft talked up Windows Vista security at Black Hat, a researcher in another room demonstrated how to hack the operating system.
Joanna Rutkowska, a Polish researcher at Singapore-based COSEINC, showed on Thursday that it is possible to bypass security measures in Vista that should prevent unsigned code from running.
And in a second part of her talk, Rutkowska explained how it is possible to use virtualisation technology to make malicious code undetectable, in the same way a rootkit does.
Microsoft recognises the threats and is working on ways to stop both before Vista ships, a company representative said. The software maker is still soliciting feedback on the successor to Windows XP, which is scheduled to be broadly available in January. At Black Hat, Microsoft gave out copies of an early Vista release for attendees to test.
Rutkowska's presentation filled a large ballroom at the conference to capacity, even though it was during the last time slot on the final day of the annual Black Hat security confab in Las Vegas. She used an early test version of Vista for her research work.
As one of the security measures in Vista, Microsoft is adding a mechanism to block unsigned driver software to run on the 64-bit version of the operating system. Rutkowska, however, found a way to bypass the shield and get her code to run. Malicious drivers could pose a serious threat because they run at a low level in the operating system, experts have said.
"The fact that this mechanism was bypassed does not mean that Vista is completely insecure. It's just not as secure as advertised," Rutkowska said. "It's very difficult to implement a 100 per cent-efficient kernel protection."
To stage the attack, however, Vista needs to be running in administrator mode, Rutkowska acknowledged. That means her attack would be foiled by Microsoft's User Account Control, a Vista feature that runs a PC with fewer user privileges. UAC is a key Microsoft effort to prevent malicious code from being able to do as much damage as on a PC running in administrator mode, a typical setting on Windows XP.
"I just hit accept," Rutkowska replied to a question from the audience about how she bypassed UAC. Because of the many security pop-ups in Windows, many users will do the same without realising what they are allowing, she said.
Microsoft has touted Vista as its most secure version of Windows yet. It is the first operating system client to go through the company's Security Development Lifecycle, a process to vet code and stamp out flaws before a product ships.
After the presentation on bypassing the driver shield, Rutkowska presented a way to create stealthy malicious software, which she code-named Blue Pill. The technique uses Pacifica, a Secure Virtual Machine, from chipmaker AMD, to go undetected.
Blue Pill could serve as a backdoor for attackers, Rutkowska said. While it was developed on Vista and AMD's technology, it should also work on other operating systems and hardware platforms. "Some people suggested that my work is sponsored by Intel, as I focused on AMD virtualisation technology only," she said, adding that is untrue.
Visit reviews.cnet.co.uk for in-depth reviews of many more products
