Vista Now Blocks Kernel Rootkit Attack

In the 64-bit version of Windows Vista, all kernel-mode drivers must be digitally signed, a change from earlier Windows, which encouraged signed drivers but didn't require them. This summer, Rutkowska, who works for Singapore-based security company COSEINC, showed off an attack that allowed unsigned drivers to access Vista's kernel, a technique that if used by hackers, would let them drop a rootkit into the new operating system.

Release Candidate 2 (RC2) of Vista 64-bit, however, now blocks such attacks, Rutkowska said.

"Vista RC2 now blocks write-access to raw disk sectors for user mode applications, even if they are executed with elevated administrative rights," she wrote on her blog.

But although Vista stops the attack, the technique that Microsoft used to deflect such exploits is itself flawed, Rutkowska argued. By disabling write-access to raw disk sectors from Vista's usermode, she said, "not only might that cause some incompatibility problems (think about all those disk editors, un-deleters, etc.), but also it would not be a real solution to the problem."

Her contention is that legal, digitally-signed drivers can -- and will -- be hacked by criminals, then used in attacks to plant rootkits and other malware on a Vista machine. "There is nothing which could stop an attacker from 'borrowing' such a signed driver and using it to perform the attack," she said. "There is no bug in the driver, so there is no reason for revoking a signature of the driver."

Rutkowska is best known as the creator of "Blue Pill," technology she's developed that takes on AMD's and Intel's hardware-based virtualization to create ultra-stealthy malware which could hijack a server's operating system.