Microsoft blocks 'Black Hat' Vista hack

Microsoft has changed Windows Vista to prevent a hack that was demonstrated at a high-profile security event this summer, but the fix may spell trouble.

Joanna Rutkowska, a Polish researcher at Singapore-based Coseinc, demonstrated the hack at Black Hat in August. She showed that it was possible to bypass security measures in 64-bit versions of Vista meant to prevent unsigned driver code from running. The bypass could allow the installation of malicious drivers–a serious threat, because they run at a low level in the operating system.

Rutkowska also tried out her exploit on Windows Vista Release Candidate 2, the final test version of the operating system released earlier this month. “It quickly turned out that our exploit doesn’t work anymore,” Rutkowska wrote on her blog late Thursday.

This is good news, but it might hold some problems. Microsoft appears to have thwarted the attack by blocking write-access to raw disk sectors for applications that run in user-mode, even if they are executed with elevated administrative rights, Rutkowska wrote. “Which is a bad idea,” she wrote.

Microsoft’s way of blocking the attack can cause compatibility trouble for programs such as disk editors and recovery tools, Rutkowska wrote. Such applications now will need their own, signed kernel-level driver to function, she wrote.

Full article: ZDNet