At the Black Hat convention back in August, Polish researcher Joanna Rutkowska demonstrated a Vista hack that bypassed security in the 64-bit version of Vista to run unsigned driver code, which could be used to install malicious drivers on a user's hard drive. So here's the good news: Microsoft has since made changes to Vista's code that prevent such an attack. The bad news? Apparently, the company addressed the vulnerability by blocking write-access to raw disk sectors for applications that run in user-mode, including those that are executed with administrative rights. While this solution does prevent the specific exploit demonstrated at Black Hat, it introduces a new set of problems: blocking access to raw disk sectors could cause compatibility problems for programs like disk editors and disk recovery tools. What's more, instead of using an unsigned driver, a hacker could simply hijack a legitimate driver in order to execute the same attack. Rutkowska apparently addressed these concerns during her talk back in August, "But it seems that MS actually decided to ignore those suggestions and implemented the easiest solution, ignoring the fact that it really doesn't solve the problem," she recently wrote on her blog. Looks like security vendors won't be the only ones up in arms over the 64-bit version of Vista, eh?
For more on the hack:
- check out this post on Joanna Rutkowska's blog, Invisible Things
- or read the write-up at ZDnet
