14 DAY TRIAL // With the introduction of the Windows Operating System Loader Update, Microsoft has closed down one of the vectors that rootkits abuse in order to remain on infected Windows computers.
Referred to as the Rootkit Evasion Prevention tool, Microsoft Security Advisory (2506014) is actually a refresh of the Windows Operating System Loader (winload.exe).
Although information about the winload.exe update is provided in a security advisory, the refresh is not a patch, but merely a fix set up to address a problem with driver signing enforcement.
Following the installation of KB 2506014, rootkits will no longer be able to cling to life on compromised Windows machines by exploiting a method which allows for unsigned drivers to be loaded by winload.exe.
Since signed drivers are mandatory only for 64-bit variants of Windows, the Rootkit Evasion Prevention Tool is also available only for supported x64 copies of Windows, including Windows 7 SP1 RTM. (download links at the bottom of this article)
The software giant detailed the issue that enables rootkits to survive post-infection:
“During the boot process, winload.exe determines the signed state of system binaries. Certain inadequacies in this process allow unsigned binaries to be loaded. When this occurs, Windows is unable to guarantee the integrity of certain core operating system components.”
The main characteristic of a rootkit is the fact that it’s designed to remain hidden, undetected by other malware or by security solutions.
In this regard, the update for the Windows Operating System Loader will make it harder for rootkits not to be sniffed by anti-malware programs.
“This update increases the difficulty of rootkits from hiding, but since it does not address a security vulnerability, it would not prevent a future malware infection from occurring,” the Redmond company explained.
Here are the download links:
Update for Windows 7 for x64-based Systems (KB2506014)
Update for Windows Server 2008 R2 x64 Edition (KB2506014)