While Microsoft talked up Windows Vista security at Black Hat, a researcher in another room demonstrated how to hack the operating system. Joanna Rutkowska, a Polish researcher at Singapore-based Coseinc, showed that it is possible to bypass security measures in Vista that should prevent unsigned code from running.
And in a second part of her talk, Rutkowska explained how it is possible to use virtualization technology to make malicious code undetectable, in the same way a rootkit does. She code-named this malicious software Blue Pill. “Microsoft is investigating solutions for the final release of Windows Vista to help protect against the attacks demonstrated,” a representative for the software maker said. “In addition, we are working with our hardware partners to investigate ways to help prevent the virtualization attack used by the Blue Pill.”
“The fact that this mechanism was bypassed does not mean that Vista is completely insecure. It’s just not as secure as advertised,” Rutkowska said. “It’s very difficult to implement a 100 percent-efficient kernel protection.” To stage the attack, however, Vista needs to be running in administrator mode, Rutkowska acknowledged. That means her attack would be foiled by Microsoft’s User Account Control, a Vista feature that runs a PC with fewer user privileges. UAC is a key Microsoft effort to prevent malicious code from being able to do as much damage as on a PC running in administrator mode, a typical setting on Windows XP. Click here for more information.
