Windows Vista Gets Another Dose of The 'Blue Pill'
And then some. A Black Hat hacker proves more than just a Blue Pill can stymie the operating system.
LAS VEGAS -- Once again security researcher Joanna Rutkowska took the stage at Black Hat, and once again she set out to prove in glorious detail how to exploit and attack Microsoft Windows Vista.
Rutkowska blew the lid off last year's Black Hat event with her landmark presentation ahead of the official Vista release where she demonstrated a virtualized rootkit called Blue Pill that took control over a Vista machine.
This year she brought a new pill and a few more tricks to take Vista to task.
"I'm going to talk about Vista kernel protection and why it doesn't work," Rutkowska boldly declared to the overflow crowd.
She then read a quote from Microsoft's Vista documentation that stated that even users with admin privileges cannot load unsigned kernel-mode code on the system. Then she smiled mischievously.
"There are thousands, maybe tens of thousands of third-party drivers that are poorly written and could be a problem," Rutkowska said.
She then displayed two examples, both from video drivers companies, to prove her point. In her view both the ATI Catalyst driver and the NVIDIA nTune Driver are bad in that they could be used as an attack vector to circumvent Vista kernel protection.
With the NVIDIA driver, Rutkowska alleged that the driver was able to read and write registers without any additional checks.
"The whole problem in NVIDIA is that the driver doesn't do the proper checks and can do a write for an arbitrary registry."
To add further insult to injury, the target machine doesn't even need to have the bad driver on the system in order for the attacker to use it as an attack vector.
"The attacker could just include it as part of their own rootkit and then use it to exploit Vista," Rutkowska said. "It doesn't matter whether it's a popular driver or not. We can bring it to the target system and exploit it."
If having a bad third-party driver wasn't bad enough, Rutkowska explained that an attacker could make their own buggy driver to use for an attack. According to her, Microsoft doesn't require developers to submit their drivers to Microsoft for signing.
To prove her point, Rutkowska said she went to Microsoft partner site globalsign to get a driver certificate that cost $250.
"We can now sign whatever we want," Rutkowska declared. "No one can prove that I intentionally built a bug."
She said that she could just put the driver on her site and then anyone could use it to bundle with a rootkit and then exploit Vista. "But I don't have to do this cause we have dozens of public drivers to exploit already."