14 DAY TRIAL // Microsoft needs to continually evolve the core of 64-bit editions of Windows Vista. This is the perspective offered by security company Symantec, through the voice of Ollie Whitehouse, Security Response Researcher. The view came in the light of the most recent events associated with the Kernel Patch Protection and mandatory Driver Signing technologies included into x64 Vista. Russ Humphries, Senior Program Manager with the Vista security team denied any connection between ATI patching the flaw in their Catalyst drivers exploited by the PurplePill to load unsigned code into the core of x64 Vista, and Microsoft's own update to PatchGuard.
"Along with patch Tuesday came an update to PatchGuard; it's not clear what extra "resilience" is added in this driver, but could this be designed to complicate exploiting vulnerabilities such as those in the ATI driver? Well it's not clear currently - it would be logical for Microsoft to continually update PatchGuard to obfuscate, misdirect and complicate exploitation by protecting more key kernel structures while adjusting how the kernel implements PatchGuard protection," Whitehouse stated.
And of course that the update introduced to PatchGuard will not have an exclusive nature. In fact, more than anything, the refresh signals the debut of a new tradition of patching over at Microsoft, in a constant race to keep up with attackers targeting not the fabric of the Windows Vista operating system, but the third party code designed to integrate into its very core. With the bug in the Catalyst drivers dealt with, and the PurplePill rendered useless, Symantec is looking forward to the next flawed piece of signed driver allowing wide open access into the core of x64 Vista.
"So, with the ATI vulnerability closed and Microsoft's recent improvements to PatchGuard - which seems slightly confused on whether it's a security update or not - we'll have to wait for the next driver vulnerability to be found. Plus, while we're discussing the PatchGuard patch, why doesn't Microsoft consider that it addresses a security vulnerability?" Whitehouse asked quoting an excerpt of the Microsoft update release information as an answer. "While this updates adds additional checks to the Kernel Patch Protection system, it does not involve a security vulnerability. Known methods that allow the kernel to be patched on systems where Kernel Patch Protection is enabled require a system to already be compromised by an attacker."
In the meantime, Alex Ionescu, independent kernel developer, reverse engineer and the author of the PurplePill, promised to look for alternative paths into subverting the core of 64-bit Vista. "I am currently exploring other avenues for allowing open source drivers to function on 64-bit Vista without requiring developers to pay for a certificate and deal with the code signing authorities, while still respecting Vista's KMCS policy, and continuing to protect against malicious drivers using such a method for their own gain. It is my hope to find a solution which will both please Microsoft and the KMCS policy, as well as make life easy for open source developers (and other non-commercial hobbyists) which for whatever reason don't want to, or cannot, pay for a certificate," Ionescu stated.