An open door to the core of the operating system

Aug 16, 2007 11:07 GMT  ·  By

Open source is both the simplest path to take to the 64-bit Windows Vista core and also the fastest way to kill the operating system. Microsoft introduced mandatory driver signing in its 64-bit edition of its latest operating system and applauded the security mitigation as a barrier against unsigned kernel-mode software. Although the technology is not new to Vista, Microsoft's most secure Windows platform to date brought driver signing into the limelight, but for all the wrong reasons. Essentially, mandatory driver signing is designed to prevent unsigned code from loading into the kernel of 64-bit editions of Vista. And yet, the 64-bit Vista model based on digital signatures for kernel-mode code is flawed by design, due to the fact that the weakest link in the equation is neither the operating system nor the mandatory code signing, but the third party drivers.

Ollie Whitehouse, Architect, Symantec Advanced Threat Research, revealed that the Cupertino-based security company's vision over the vulnerability of driver signing is associated with the increasing trend to attack third party drivers. Whitehouse then pointed to just such a possible scenario to completely take over the kernel of x64 Windows Vista via an open source driver; "a common open-source driver signed by a third-party and used pretty widely by the technical community. The driver is WinPCap. The vulnerability is a bug that allowed arbitrary kernel memory to be written to. If we look at the change log from WinPcap: Version 4.0, 29 Jan 07 Added support for Vista x64 by digitally signing all the binaries of the WinPcap distribution. Then fast forward six months: version 4.0.1, 03 Jul 07 bug fixing: fixed a bug in the dispatcher of the BIOCGSTATS IOCTL that caused a BSOD if the parameters passed from user level were invalid."

At Black Hat 2007 in Las Vegas, security researcher Joanna Rutkowska demonstrated that the core of x64 Vista could be compromised via two drivers from Nvidia and AMD's ATI. Before that, two tools emerged created with the specific purpose of piggyback ridding unsigned code into the 64-bit Vista kernel, Atsiv and Purple Pill. Both utilities are regarded as potentially unwanted software. Microsoft has set up a system for revoking certifications for signed drivers that have become compromised, or used in a malicious manner, but Whitehouse stressed that the mechanism is not built to sustain large volumes of attacks from all fronts.

"We have a non-hardware specific driver, which I've observed some hardware OEMs ship with their consumer products for previous versions of Windows, as well as being used relatively widely by the technical community. It's available for Windows Vista 64bit and is signed and contains a vulnerability which allows arbitrary kernel memory modification. So, another example of a certificate Microsoft is going to have to consider pulling," Whitehouse concluded.