Vista Opened to Malicious Code Injections

On the proverbial ten yard line for Microsoft's latest operating system, at the Black Hat conference in Las Vegas, security expert Joanna Rutkowska from the Singapore-based firm COSEINC, has demonstrated a method to bypass the protective mechanisms in Vista and perform a malware code injection. Rutkowska proved possible the hacking of Windows Vista 64-bit edition's kernel via a virtualization tool. Once Vista's panoply circumvented, the researcher successfully installed the Blue Pill rootkit.

Rutkowska's demonstration revolved around bypassing the operating system's integrity-checking process responsible for managing the loading process of unassigned code into Vista's kernel. "The fact that this mechanism was bypassed does not mean that Vista is completely insecure. It's just not as secure as advertised," she commented, "It's very difficult to implement a 100% efficient kernel protection in any general-purpose operating system." The Blue Pill rootkit is a personal creation of the security researcher build on the basis of Advanced Micro Devices' Secure Virtual Machine, Pacifica.

Rutkowska's Blue Pill was especially designed for Vista, but the researcher demonstrated how the malware could be revamped via polymorphic features in order to become adaptable to additional platforms where it can perform backdoor functions. Rutkowska also claims that the Blue Pill's stealth characteristics make it virtually invisible to software-based detection, although hardware-based identification may prove to be a viable solution.

Microsoft representatives confirmed Vista's kernel vulnerability and promised to address the issue. In Vista's defense, Microsoft's director of the Windows client group, Austin Wilson stated that Rutkowska's code-signing bypass techniques are functional only if the operating system is running in administrator mode. "If you're running as a standard user, this wouldn't work," he noted. "But we're still looking at blocking this type of attack."

"Windows Vista has many layers of defense, including the firewall, running as a standard user, Internet Explorer Protected Mode, /NX support, and ASLR, which help prevent arbitrary code from running with administrative privileges," a Microsoft representative noted.