Microsoft blocks 64-bit driver
The 64-bit version of Windows Vista requires a digital signature for each driver which runs in kernel mode. Microsoft has now placed the Atsiv driver certificate on the blacklist and thereby blocked the driver from the system. In addition, the Redmond company has released a Windows Defender anti-spyware signature for the driver which identifies it as unwanted software.
The Atsiv driver, developed by LinchpinLabs, has the sole purpose of loading additional code - both signed and unsigned - and executing it in the kernel context, which makes it quite widely used to load self-signed device drivers into Vista. The company has equipped the driver with a VeriSign certificate. In an entry on Microsoft's Vista security blog, Windows Security Architect Scott Field writes that the software breaches the guidelines on Kernel Mode Code Signing (KMCS), which only permit signed code in the kernel of the 64-bit version of Vista. The Atsiv driver also provides the ability to load further code into the kernel invisibly to official interfaces such as EnumDeviceDrivers() and can thus be misused to compromise the system completely.
Field sees KMCS not as a security barrier, but merely as a further component of the overall security approach, since KMCS cannot itself determine whether code has good or bad intentions. He states that KMCS does however enable the author of the code to be determined, and thereby offers Microsoft the opportunity to, for example, follow up problems relating to crashes provoked by particular software within the scope of Microsoft Online Crash Analysis. The mechanism thus represents a trust model. Furthermore, the Atsiv driver demonstrates that it works - the author of the driver was not anonymous and the integrity of the Atsiv driver itself was successfully validated, i.e. it was possible to determine that the driver had not been modified.
Because of the infringement of KMCS guidelines Microsoft has initiated the process of certificate revocation by Verisign so that the driver can no longer be installed. Further, they intend to place the certificate on the kernel list of blocked certificates, which will prevent the driver being loaded after rebooting. The Defender signature should also ensure that users are able to detect the driver and remove it from their hard drives.
From the comments to the blog entry, it appears that many users are concerned about handing over control of their computers to Microsoft or certification authorities such as VeriSign, which seem to play the role of software police. Microsoft has already given clear notification of such a procedure for the Vista DRM system protected environment, which is intended to provide an intrusion resistant corridor for high definition multimedia files.
- x64 Driver Signing Update, entry on Microsoft's Vista security blog