This past summer while sitting cross-legged at the back of the room in Caesar’s Palace during Black Hat, I watched as Joanna Rutkowska silenced the room. She calmly and methodically explained how an attacker could circumvent Microsoft’s kernel protection to inject shell code into the pagefile.sys. A couple of Redmond disciples attempted to refute her but, she came ready for battle. She made short work of the unbelievers and returned to her presentation slides and the humbled adversaries melted back into their seats. Rutkowska also outlined several ways for Microsoft to rectify the problems that she discussed.
Windows Vista Release Candidate 2 frustrates this attack by blocking write-access to raw disk sectors for user mode applications, even if they are executed with elevated administrative rights. Rutkowska writes that Microsoft’s fix is fraught with difficulties because it prevents legitimate applications, such as disk editors and recovery tools, from functioning without their own signed kernel-level driver. Hackers might be able to hijack such legitimate drivers so all Microsoft has done has created extra work for developers in displacing – but not resolving – the problem.
So rather than take the high road and actually fix the problem again we see Microsoft taking the easy way out. But, rather than to fix the problem they have simply put a bandaid on it hoping that no one would notice. In Rutkowska’s words the fix is ‘worse than useless‘ and you know what? I’d believe her.
[tags]Vista Kernel, Joanna Rutkowska, Black Hat, Vista Kernel Security[/tags]