Microsoft reacts to kernel hacks, defends Vista

Patches PatchGuard to keep 64-bit Vista safer from unsigned code

Microsoft quietly beefed up a key defensive feature of 64-bit Windows Vista Tuesday to better protect the operating system against hacks that have plagued it for weeks.

The update to Vista's Kernel Patch Protection, a.k.a. PatchGuard, was issued through Windows Update as a high-priority download, but not as a patch per se. Microsoft, in fact, denied that it was a security fix. "While this updates adds additional checks to the Kernel Patch Protection system, it does not involve a security vulnerability," an advisory posted Tuesday by the Microsoft Security Response Center (MSRC) stated. "The update does increase the reliability, performance, and resiliency provided by Kernel Patch Protection."

Although the update targets all 64-bit editions of Windows, it's Vista that stands out by reason of recent events. Since late July, a pair of utilities have sidestepped a crucial Vista security feature that requires drivers to be signed by a valid digital certificate. Both utilities piggybacked unsigned code onto a legitimate driver to get the former past Vista's defenses and into the kernel.

First off the mark four weeks ago was Australian developer Linchpin Labs, which released Atsiv (Vista spelled backward), a utility that allowed users to load unsigned drivers to the Vista kernel. Within days, Microsoft had the certificate revoked, forcing Linchpin to throw in the towel.

Next, Canadian researcher Alex Ionescu last week took advantage of a flaw in a Vista video driver from Advanced Micro Devices's ATI Technologies unit to unveil Purple Pill, another utility that allowed unsigned drivers to be loaded into the kernel. Ionescu quickly pulled Purple Pill once he realized that the ATI driver had not been patched.

"[Purple Pill] had embedded in it an ATI signed driver that would be dropped to disk and loaded (a similar approach to Atsiv)," said Symantec analyst Ollie Whitehouse in a posting to the company's security blog last week. "However it would appear that this signed driver contained a design error which allows you to use it to load any arbitrary driver even if they are not signed."

For its part, ATI refreshed its Catalyst video driver for Vista on Monday to patch against a repeat of Purple Pill, fulfilling a promise made earlier by AMD in a statement posted by ZDNet blogger Ryan Naraine.

While Catalyst 7.8 may have plugged the hole in ATI's driver, more driver vulnerabilities or design flaws would likely be found, or others would take the Atsiv approach and pay the money for a certificate. "Let's hope Microsoft steps in and uses Windows Update as an upgrade mechanism for them," Whitehouse said in a post Tuesday.

But that's not what appears to have taken place Tuesday as Microsoft updated PatchGuard, he added in an e-mail exchange early Wednesday.

"There is very little, if anything, Microsoft can do to stop the piggybacking [of drivers] if someone is willing to go to the effort of obtaining a signing certificate for their own driver," said Whitehouse. "The only real thing Microsoft could do to improve this process would be... to start performing code reviews of all drivers wishing to be signed. But in reality it's not scalable. Even then, it would become a game of cat and mouse with regards to individuals determined to get code through the review process."

Instead, Whitehouse went on, what Microsoft seems to have done is harden PatchGuard's defenses so that when a piggyback attack does take place -- for instance, a hacker uses a legitimate driver to inject his own code into the Vista kernel -- the damage is minimized.

"It looks like they are trying to make it harder to do anything malicious once you've exploited vulnerabilities which allow code to be executed in the kernel, such as ATI driver/Atsiv, and so on," he said.

Microsoft wasn't much help in figuring out exactly what was beefed up by the PatchGuard update; the accompanying information was extremely vague. The MSRC's release manager, Simon Conant, was just as tight-lipped in a posting to the center's blog. "The update adds additional checks to Kernel Patch Protection for increased reliability, performance and security," Conant said.

Vague or not, Whitehouse applauded Microsoft's move but cautioned against thinking the issue was dead and buried. "While these efforts should be commended, someone simply has to perform sufficient reverse engineering of the Vista kernel in order to locate the PatchGuard functionality in order to target that," he said.

Microsoft and Ionescu, the author of Purple Pill, could not be reached for comment.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Gregg Keizer

Gregg Keizer

Computerworld
Show Comments

Cool Tech

Bang and Olufsen Beosound Stage - Dolby Atmos Soundbar

Learn more >

Toys for Boys

ASUS ROG, ACRONYM partner for Special Edition Zephyrus G14

Learn more >

Nakamichi Delta 100 3-Way Hi Fi Speaker System

Learn more >

Sony WF-1000XM3 Wireless Noise Cancelling Headphones

Learn more >

Family Friendly

Mario Kart Live: Home Circuit for Nintendo Switch

Learn more >

Philips Sonicare Diamond Clean 9000 Toothbrush

Learn more >

Stocking Stuffer

Teac 7 inch Swivel Screen Portable DVD Player

Learn more >

SunnyBunny Snowflakes 20 LED Solar Powered Fairy String

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?