Microsoft patches Patchguard, miss Purple Pill
- — 17 August, 2007 10:32
Microsoft has updated its 64-bit kernel protection for Windows Vista, which most of us know as PatchGuard, but which Microsoft calls Kernel Patch Protection.
This is Microsoft's third PatchGuard update, in what has become a cat and mouse game between the software giant and security researchers.
Initially I thought this update might have something to do with the "Purple Pill" or Atsiv software, released recently, which lets you load unsigned drivers into the Vista kernel.
Microsoft didn't comment on this directly, but their PR agency said that the update doesn't have anything to do with Purple Pill.
This update is a defense-in-depth change that builds additional checks into KPP for increased reliability, performance, and security. Although the update will enhance security within the kernel, this is not a vulnerability-related issue.
Noted Windows kernel hacker Skywing, AKA Ken Johnson, has a pretty good grasp on the changes. He told me:
"The patch essentially introduces PatchGuard v3 - it alters the obfuscation mechanisms already existing in v2 and introduces some new tricks in an attempt to defeat any code floating around out there which is designed to bypass PatchGuard v2.
In other words, the update changes PatchGuard so that the old ways of bypassing it won't work until they are updated to cope with the additional changes that PatchGuard v3 brings to the table. It appears primarily geared towards making PatchGuard less easy to bypass from a third party driver perspective, much like how PatchGuard v2 was an incremental improvement over PatchGuard v1. There are some additional internal kernel variables that are now protected by PatchGuard v3 (but weren't guarded by PatchGuard v2), likely in an attempt to close loopholes that could have been used to either disable PatchGuard v2 or ignore it completely by altering things that it did not protect in the first place.
BTW, PatchGuard v3 has been out in Windows Server 2008 at least since the Beta 3 timeframe, and it was also made publicly available for Vista alongside with the KB938979 update for Vista on August 7 or so when ntoskrnl.exe was first updated since RTM in a publicly available hotfix. This "advisory" is just publicly announcing the new PatchGuard revision and pushing it out via Windows Update to everyone (such as Vista x64 users who hadn't installed KB938979, or Windows Server 2003 x64 users for which there hasn't yet been a public hotfix that PatchGuard v3 piggy-backed along yet to my knowledge)."
So does that mean we'll be seeing another PatchGuard update to fix Purple Pill or Atsiv? It's not clear to me what Microsoft could do here. As I understand it, both of these tools used legitimate driver certificates to get their unsigned drivers into the kernel. Atsiv used a certificate that has since been revoked, and Purple Pill used a buggy ATI driver that has now been patched, and which will soon be delivered by Windows Update, according to Microsoft PR.
All this effort may be in vain, however, according to eEye's Marc Maiffret, who thinks that this is just an arms race that will go on and on. He calls all the kernel protection effort "time wasted," by Microsoft.
The pain that Microsoft has put developers through in creating/signing all drivers and related does not equal the real threat posed by people loading malicious driver files. You will always be able to circumvent any built-in protection and trojan systems. Microsoft is just creating yet another arms race in going back and forth with researchers breaking their kernel protection, and them adding more protection. But none of that matters as long as the core problem exists, that Microsoft still continues to make vulnerable software which allows bad guys to target Windows systems and steal data, and that has nothing to do with kernel or otherwise.