25 October 2006, 14:33

Rootkit researcher: Anti-rootkit bug fix in Vista RC2 useless

The heated debate about the security of the Vista kernel has gained fresh fuel through new commentary by rootkit specialist Joanna Rutkowska. Rutkowska gained notoriety at the last Black Hat hacker conference by demonstrating a vulnerability that has since come to be known as the pagefile attack. Microsoft has integrated a fix into Release Candidate 2 intended to close the hole, but apparently with only modest success.

Rutkowska's pagefile attack succeeded in loading several unsigned drivers into the Vista kernel, despite claims that the x64 version would only accept signed kernel drivers. Rutkowska's hack continuously demanded memory until Vista was forced to relocate already-loaded kernel mode drivers into the virtual memory on the hard drive. She was then able to manipulate the memory segments that lay unprotected there, planting her own drivers.

Rutkowska recommended several countermeasures to Microsoft, including forbidding direct raw disk access by user-mode applications, or encrypting the pagefile storage. A third possibility would be disabling kernel memory paging altogether. Of the three solutions, the rootkit researcher evaluated the first as the least desirable, since it would prevent disk editors and disk recovery tools from functioning.

Microsoft appears to have ignored the recommendations, Rutkowska writes in her blog. She sees the patch blocking raw access, even when executed with administrator rights. Hard drive tool vendors who want hard drive access in user mode must have their drivers certified and signed by Microsoft.

All the same, that does nothing to prevent attackers from using such signed drivers for their own purposes, such as by integrating them into malware. Insofar as the driver is error-free, Microsoft cannot withdraw the certification for that kind of driver – even if it is known to be used for attacks. Hence the problem is not really solved.

Meanwhile, security vendor Authentium has questioned the reliability of the overall kernel protection. Helmuth Feericks, the company's lead engineer, has reported success in turning off the PatchGuard protection, installing his own programs, and then turning PatchGuard back on. If he can do it, motivated hackers can do the same, Feericks stated to the Washington Post.