Microsoft blocks Vista driver 'hack' tool

Microsoft on Thursday blocked an application which could have allowed malicious code into the Vista kernel.

The software giant blocked Atsiv, which circumvented a significant security feature in the 64-bit version of the operating system.

The security feature — which is intended to prevent unsigned code from being loaded into the Vista 64-bit kernel — is designed to help mitigate malicious kernel drivers typically used by rootkits.

This was "one of the big security features advertised by Microsoft for Vista 64-bit", said Ollie Whitehouse, a security researcher at Symantec, in a blog post.

To load to the kernel, driver code requires a certificate that complies with Microsoft's Kernel Mode Code Signing (KMCS) policy.

Atsiv is a free software utility, produced by Linchpin Labs and OSR, which circumvented KMCS. Atsiv allowed any unsigned driver, including malicious kernel drivers, to be loaded on Vista 64-bit. The tool loaded its own signed driver, but it then allowed unsigned drivers to be loaded through its portable executable (PE) loader. The portable executable format is a data structure with the information necessary for the Windows Vista operating system loader to manage wrapped executable code.

"The [Atsiv] driver isn't malicious in itself, but it could allow malicious code into the kernel. It's punching a big hole through the wall and allowing everything else to climb through," Whitehouse told ZDNet.co.uk.

Using Atsiv, not only could unsigned drivers have been loaded directly to the kernel, but a side effect of the tool using its own PE loader was that it was not visible in Microsoft's standard drivers list, according to Whitehouse. "This is rootkit-type behaviour," said Whitehouse in his blog.

Whitehouse said on 27 July: "In order for Microsoft to mitigate the risk of malicious code utilising this signed driver to load their own, they are going to have to revoke the signing certificate. It'll be interesting to see how long it takes Microsoft to do this."

Microsoft responded six days later, on Thursday, by blocking Atsiv. Its partner VeriSign revoked the code signing key.

"Windows Defender released a signature update on 2 August, 2007, that allows detection, blocking, and removal of the current Atsiv driver," wrote Windows security architect Scott Field in the Vista security blog. "Classification of the Atsiv software was done in accordance with the objective criteria used by the Windows Defender team to assess the characteristics of potentially unwanted software. Microsoft has worked with partners in the code signing certification authority ecosystem to assess the Atsiv issue. VeriSign has revoked the code signing key used to sign the Atsiv kernel driver, which means the code signing key will no longer be considered valid."

In his blog, Field added that the security team at Microsoft is investigating adding the revoked key to the KMCS revocation list "as an additional defence-in-depth measure".

Sentry Posts Blog

Guarding the network

What you need to know — and what you and your peers have to tell us — about security management in our new community group blog

Read more

He tried to play down the significance of the Vista security vulnerability, saying that, to install the Atsiv driver, the user must have administrative privileges.

"There is no security vulnerability related to the default case in Windows Vista where users run with limited permissions through the User Account Control feature," wrote Field.

He said that KMCS is "not a security boundary. Rather, it is only one aspect of a defence-in-depth approach to security", adding that KMCS does not guarantee that signed code is not malicious. "KMCS does not provide a means to determine the 'intent' of the signed code (ie, good or bad); indeed, signed code may contain bugs, be of poor quality, or may be malicious in nature."

Instead, the security value of KMCS is that it provides a means to identify the author of a piece of code, according to Field. "Identifying the source and ownership of code that is loaded by the kernel is a fundamental component of the operating-system and overall-ecosystem trust model," he wrote. "Furthermore, this also provides better transparency to the end user in terms of origin of code that is installed and running on a system."

However, merely identifying the author of malicious code doesn't prevent that code from executing, said the authors of the Atsiv tool. "Driver signing doesn't prevent malware. It just prohibits freedom to choose, which, on a general-purpose operating system, is simply not acceptable," said one of Atsiv's developers on rootkit.com. "A signed file uniquely identifies the company that developed that file but, when companies can be created and registered in jurisdictions known for protecting the privacy of company founders and directors, you have to ask: what does driver signing actually represent? Absent any control over what the driver actually is or does, this provides no real additional security, other than removing author anonymity," said the Atsiv developer.