Since threats from kernel-mode rootkits have been on the rise, Microsoft's planning a big policy change to block uncertified drivers from loading on X64 versions of Windows Vista. The kernel mode software of Windows Vista and Windows Server must have a digital signature to load on x64-based computer systems.

This is an attempt to restrict the spread of powerful rootkits that intercept the native API in kernel-mode and directly manipulate Windows data structures. Rootkits are components that typically use stealth to maintain a persistent and undetectable presence on a computer. This technology is used by hackers in malicious spyware programs and in identity theft schemes.

This policy is part of Microsoft's SDL (Security Development Lifecycle), the required creation process used by Microsoft engineers to include security into all products that are connected to the Net. "By requiring digital signatures on all kernel mode software running Windows Vista on x64-based computer systems, this allows the administrator or end user who is installing Windows-based software to know whether a legitimate publisher has provided the software package helping limit the impact of kernel malware on customers' systems," a Microsoft spokesperson said.

What it means

This change means that users who do not have administrative privileges are no longer able to install unsigned drivers. It means that drivers must be signed for devices that stream protected content (including audio drivers that use PUMA (Protected User Mode Audio) and PAP (Protected Audio Path), and video device drivers that handle protected video path-output protection management (PVP-OPM) commands). From now on unsigned kernel-mode software will not load or run on X64-based systems.

Ultimately this change will help diagnose system crashes better according to Microsoft. It will narrow the list of which publisher's software was running at the time of the error. This will then lead to software publishers fixing the errors faster from the information Microsoft provides them.

A few extra tidbits

Vista driver developers must obtain a Publisher Identity Certificate (PIC) from Microsoft. Microsoft says they won't charge for it, but they require that you have a Class 3 Commercial Software Publisher Certificate from Verisign. This costs $500 per year.