Security firm finds a way around Vista 64 Bit Patch Guard security

by Steve on October 28, 2006 · 0 comments

in Windows

For most windows administrators Vista is still a long way off before they need to deploy it on their networks. Even further off is a 64 bit version of Vista. Still it is important to stay on top of what is going on with these products, so as an administrator you are not blindsided when you encounter your first install.

Windows Vista - Clear, Confident, Connected

The 64 bit version of Vista is the first version of Windows that will only allow signed drivers. This means that if you want to install a driver on windows, it must have a valid certificate – something difficult for a virus, or piece of spyware.

We are told by Microsoft that this fact alone will make Vista 64 the most secure operating system ever developed. This was all changed back in July when Joanna Rutkowska spoke at the Black Hat USA conference. She described a method of installing drivers without any code signature by using the page file.

The three suggestions Joanna made for Microsoft to resolve the issue:

1. Block raw disk access from usermode.

2. Encrypt pagefile (alternatively, use hashing to ensure the integrity of paged out pages, as it was suggested by Elad Efrat from NetBSD).

3. Disable kernel mode paging (sacrificing probably around 80MB of memory in the worst case).

Microsoft picked the least desirable option number 1. This was easy for them, but potentially made it impossible for disk utility vendors from creating disk repair, and defragmentation tools.

So that was it, or so Microsoft thought. Problem solved. No more unsigned drivers.

This week the security firm Authentium found a workaround for Patch Guard

Patch Gurad is the technology that keeps unsigned drivers from being installed, and the kernel from being modified. Their method allows either a legitimate software vendor, or an attacker to disable it, install their wares, and then turn it right back on.

Patch Guard is the feature that Symantec and McAfee have been getting very upset about – since it essentially keeps them out too. Rightly so, since essentially Microsoft will bypass this for their own security products. It really is a bad idea to force these security vendors to resort to hacks to install their software.

Microsoft immediately responded with a angry attack stating that that the hack harmed windows users by reducing the security of Windows.

Still this whole debate needs to be watched. Not many IT departments are going to feel secure with a Microsoft only approach to anti-virus and anti-spyware. On the flip side no one wants to install code that *hacks* the kernel in a corporate environment – Microsoft can break it in a day with an automatic update. Hopefully the issue will be worked out by the time most of us will need a 64 bit version of windows on our network.

Leave a Comment

Previous post:

Next post: