Can a Rootkit Be Certified for Vista?

http://www.eweek.com/article2/0,1895,2104462,00.asp


Can a Rootkit Be Certified for Vista?
By Lisa Vaas
March 15, 2007

Be the first to comment on this article



NEW YORK-Forget what Microsoft says about Vista being the most secure
version of Windows yet. More to the point, what do the hackers think
of it? ADVERTISEMENT

In a nutshell, they think it's an improvement, but at the end of the
day, it's just like everything else they dissect-that is, breakable.

"Not all bugs are being detected by Vista," pointed out famed hacker
H.D. Moore. "Look at how a hacker gets access to the driver: Right now
I'm working on Microsoft's automated process to get Metasploit-
certified. It [only] costs $500."

Moore is the founder of the Metasploit Project and a core developer of
the Metasploit Framework-the leading open-source exploit development
platform-and is also director of security research at BreakingPoint
Systems. The irony of his statement lies in the idea that Vista trusts
Microsoft-certified programs-programs that can include a hacker
exploit platform that walks through the front door for a mere $500 and
a conveyor-belt approval process.


Moore was one of a handful of white-hat hackers in the audience of a
session on Vista security here at Ziff Davis Enterprise's 2007
Security Summit on March 14. The session, titled "Vista: How Secure
Are We?," was presented by David Tan, co-founder and chief technology
officer at CHIPS Computer Consulting.

By Moore's side were equally prestigious hackers Joanna Rutkowska-
security researcher at COSEINC-and Jon "Johnny Cache" Ellch, author of
"Hacking Exposed Wireless."

For her part, Rutkowska granted that yes, one way to own a Vista
system is by getting a rootkit certified, but if you want a
compromised system, you don't even have to waste your time and money
with certification-"It can be a graphics card with a stupid bug," she
said. "You can't do anything about it. You can't sue the vendor for
introducing a bug. You can't prove it was done intentionally."

Until Microsoft or some security vendor concocts a black list for
buggy drivers, Rutkowska said, Vista is potential toast. Of course,
bugs can always be detected in memory, right? Except-oops!-Rutkowska
demonstrated a few weeks ago at Black Hat that exploits can in fact
tinker with memory to hide their footprints.

Click here to read more about kernel rootkits.

But before the hackers, and Tan himself, pointed out Vista's security
weak points, Tan outlined the improvements to the new operating
system's security features. He praised Microsoft's Trustworthy
Computing initiative and the company's reshaped development cycle for
the "phenomenal effort" that has produced products such as SQL Server
2005-a version of the database that to date hasn't had a single major
vulnerability or exploit attached to it. "Microsoft deserves to be
applauded for that," he said.


In keeping with that improved attention to security, Microsoft has
added a slew of security features to Vista in the two areas you need
to worry about in a client operating system, Tan said: namely,
protecting the system and protecting data.

Those features include UAC (User Access Control), a feature that
forces users to work in restricted accounts instead of with the rights
of system administrators that they had traditionally been granted in
previous Windows versions. UAC is active by default for all users-
although it can be turned off-and even administrator accounts only get
medium-integrity level rights in Vista.

UAC has been criticized on the basis of the debatable annoyance level
pertaining to its warning boxes, which pop up in colors (orangey-red
for caution, bluish-green for safe) and ask users if they really want
to proceed with given actions. Rutkowska kicked off the criticism of
UAC when she wrote in her blog that, although UAC is "the most
important security mechanism introduced in Vista," it "can be bypassed
in many ways."

Rutkowska's observations were soon followed by Symantec research
scientist Ollie Whitehouse's Feb. 20 posting titled "An Example of Why
UAC Prompts in Vista Can't Always Be Trusted," due to the ease in
which social engineering can be used to trick users into approving
illicit user privilege escalation.

Next Page: Microsoft's attitude problem.