So, the security software makers such as F-Secure, McAfee, etc are unhappy about Microsoft Vista. In fact, they are so unhappy that they published a one full page ad in Financial Times (www.ft.com) stating that Microsoft Vista poses security risks. Their claim is that a single company like Microsoft cannot be trusted to protect 95% of the Desktop PCs which are out there in the world running Windows OS. Anti-virus software producers such as themselves should be given the opportunity to protect
Microsoft has apparently strengthened the Kernel in Vista. It is now harder (if not impossible) for anybody to fiddle with the Kernel. These changes (for the better in my opinion) hits the Anti-virus software market because Vista would probably not need Anti-virus software, at least not right from the start.
Strange world this. The "protectors" such as McAfee want Microsoft to write up flawed or weak Operating Systems so that there are viruses and worms out there that can exploit these flaws. These "protectors" would then sweep in, at a considerable cost of course, and protect us from these viruses, worms and what not. Its tempting to think that the "protectors" might be the ones creating these viruses in the first place.
One more reason for me to be happy with Mac OS X :) Although this one is a bit bizzare.
Subscribe to:
Post Comments (Atom)
1 comment:
Microsoft spent a whole day here at the Black Hat conference extolling the security enhancements in its upcoming Vista operating system.
Joanna Rutkowska, a security researcher with security firm Coseinc, spent a day picking it apart.
Then again, what else would you expect from a session at a hacker convention titled: "Subverting Vista Kernel For Fun And Profit"?
Rutkowska took the stage in front of a capacity audience and proceeded to explain how to get around Vista.
She demonstrated two potential attack vectors. One could allow unsigned code to be loaded into the Vista kernel. The second vector involved taking advantage of AMD's Pacific Hardware Virtualization to inject a new form of super malware that Rutkowska claimed to be undetectable.
Rutkowska's Vista kernel attack did not rely on any known bugs in Vista, which is still in beta testing. She stressed that her demonstration did not rely on any implementation bug nor any undocumented Windows Vista functionality.
She characterized her approaches as "legal," using documented SDK (define) features.
One of the new features in Vista Beta 2 is that it requires all kernel mode drivers to be signed. The general idea is to prevent malware from being injected. Rutkowska's effort suggested that Microsoft still has some work to do on this feature.
Rutkowska's method for injecting unsigned (and therefore potentially malicious) drivers into the Vista kernel involved taking advantage of paged memory to bypass Vista security.
In her demo, the shellcode used disabled signature checking, thus allowing any unsigned driver to be subsequently loaded. Taking her attack a step further, she implemented a one-click tool, which she called "Kernelstike" to execute her Vista kernel exploit.
Call it fresh meat for sharks: The audience erupted into spontaneous applause, followed by whoops and woo-hoos throughout her demonstration.
"The fact that this mechanism was bypassed doesn't mean Vista is insecure. It just means it's just not as secure as advertised," Rutkowska said.
Rutkowska brought suggestions that could potentially prevent the subversion of the Vista kernel. One of them involves denying raw disk access from usermode, though she said that approach would likely break many applications.
Rutkowska said she disabled kernel memory paging on her own machine and is just using physical memory instead. She did admit, however, that her machine had 4 GB of RAM and as such paging makes little sense.
Rutkowska also demonstrated a new form of super malware that she said she could use against Vista. The attack involved compromising chipmaker AMD's 64 SVM hardware virtualization features with a tool she called "Blue Pill."
It creates a hypervisor that can control the operating system. A network backdoor can then be inserted onto a compromised Blue Pill machine. Rutkowska developed such a backdoor. She named it "Delusion." She said it was undetectable.
When she connected to it, the remote shell on the compromised Blue Pill machine greeted Rutkowska with the following response: "Hi this is Delusion. Where do you want to go today?"
Source : http://www.internetnews.com/security/article.php/3624861
Harish
Post a Comment