14 DAY TRIAL // Microsoft updated the 64-bit editions of Windows Vista in order to protect the operating system's core from loading unsigned code. The Redmond company's move comes as a necessity to render useless Atsiv, a tool designed to enable users to load signed or unsigned drivers in the x64 Vista kernel. Although Linchpin Labs & OSR, the developers of Atsiv, presented the utility as a way to run unsigned legacy drivers into the core of 64-bit Vista, Microsoft's position was that the tool was conflicting with the Kernel Mode Code Signing (KMCS) policy.
"In Windows Vista x64 editions, the default KMCS policy is to only allow code to load into the kernel if it has been digitally signed with a valid code signing certificate," informed Scott Field, Windows Security Architect. "The Atsiv driver provides a means to load unsigned kernel mode code in a manner that is not visible through operating system provided API interfaces (such as the EnumDeviceDrivers() API), and this may allow the code to hide from view of commonly deployed tools. Installing the Atsiv driver requires administrative privileges, so there is no security vulnerability related to the default case in Windows Vista where users run with limited permissions through the User Account Control feature."
With mandatory kernel level driver signing in x64 Windows Vista, Microsoft attempted to discontinue the practice of malicious drivers associated with rootkit behavior. One aspect that has to be clear from the get go is the fact that Atsiv does not use a security flaw in 64-bit Vista. The tool uses legitimately signed drivers in an initial stage of the process as leverage to load the unsigned code. It was expected that Microsoft will revoke the signing certificate in order to kill Atsiv, and the company did just that.
"Certificate revocation has occurred as of August 2, 2007. Microsoft has worked with partners in the code signing certification authority ecosystem to assess the Atsiv issue. VeriSign has revoked the code signing key used to sign the Atsiv kernel driver, which means the code signing key will no longer be considered valid," Field added. "The security team at Microsoft is investigating adding the revoked key to the kernel mode code signing revocation list, as an additional defense in depth measure. The kernel mode revocation mechanism requires a system reboot in order for the new revocation list to take effect, which is consistent with other Microsoft updates which require and subsequently trigger a reboot."
Additionally, Windows Defender signatures have also been updated as of August 2. Now Windows Defender will be able to detect, block and remove the current Atsiv driver. Moreover, Microsoft has even classified the Atsiv tool as potentially unwanted software. Linchpin Labs & OSR have not commented the Redmond company's actions, but it is expected that the tool will be updated with another valid signing certificate.