Can a Rootkit Be Certified for Vista?

By Lisa Vaas  |  Posted 2007-03-15 Print this article Print

A roomful of hackers, CIOs and CSOs agree that Microsoft's given us the most secure version of Windows yet, but their approval is served up with a garnish of "excepts," "howevers" and "althoughs."

NEW YORK—Forget what Microsoft says about Vista being the most secure version of Windows yet. More to the point, what do the hackers think of it? In a nutshell, they think its an improvement, but at the end of the day, its just like everything else they dissect—that is, breakable.
"Not all bugs are being detected by Vista," pointed out famed hacker H.D. Moore. "Look at how a hacker gets access to the driver: Right now Im working on Microsofts automated process to get Metasploit-certified. It [only] costs $500."
Moore is the founder of the Metasploit Project and a core developer of the Metasploit Framework—the leading open-source exploit development platform—and is also director of security research at BreakingPoint Systems. The irony of his statement lies in the idea that Vista trusts Microsoft-certified programs—programs that can include a hacker exploit platform that walks through the front door for a mere $500 and a conveyor-belt approval process. Moore was one of a handful of white-hat hackers in the audience of a session on Vista security here at Ziff Davis Enterprises 2007 Security Summit on March 14. The session, titled "Vista: How Secure Are We?," was presented by David Tan, co-founder and chief technology officer at CHIPS Computer Consulting. By Moores side were equally prestigious hackers Joanna Rutkowska—security researcher at COSEINC—and Jon "Johnny Cache" Ellch, author of "Hacking Exposed Wireless." For her part, Rutkowska granted that yes, one way to own a Vista system is by getting a rootkit certified, but if you want a compromised system, you dont even have to waste your time and money with certification—"It can be a graphics card with a stupid bug," she said. "You cant do anything about it. You cant sue the vendor for introducing a bug. You cant prove it was done intentionally." Until Microsoft or some security vendor concocts a black list for buggy drivers, Rutkowska said, Vista is potential toast. Of course, bugs can always be detected in memory, right? Except—oops!—Rutkowska demonstrated a few weeks ago at Black Hat that exploits can in fact tinker with memory to hide their footprints. Click here to read more about kernel rootkits. But before the hackers, and Tan himself, pointed out Vistas security weak points, Tan outlined the improvements to the new operating systems security features. He praised Microsofts Trustworthy Computing initiative and the companys reshaped development cycle for the "phenomenal effort" that has produced products such as SQL Server 2005—a version of the database that to date hasnt had a single major vulnerability or exploit attached to it. "Microsoft deserves to be applauded for that," he said. In keeping with that improved attention to security, Microsoft has added a slew of security features to Vista in the two areas you need to worry about in a client operating system, Tan said: namely, protecting the system and protecting data. Those features include UAC (User Access Control), a feature that forces users to work in restricted accounts instead of with the rights of system administrators that they had traditionally been granted in previous Windows versions. UAC is active by default for all users—although it can be turned off—and even administrator accounts only get medium-integrity level rights in Vista. UAC has been criticized on the basis of the debatable annoyance level pertaining to its warning boxes, which pop up in colors (orangey-red for caution, bluish-green for safe) and ask users if they really want to proceed with given actions. Rutkowska kicked off the criticism of UAC when she wrote in her blog that, although UAC is "the most important security mechanism introduced in Vista," it "can be bypassed in many ways." Rutkowskas observations were soon followed by Symantec research scientist Ollie Whitehouses Feb. 20 posting titled "An Example of Why UAC Prompts in Vista Cant Always Be Trusted," due to the ease in which social engineering can be used to trick users into approving illicit user privilege escalation. Next Page: Microsofts attitude problem.

Lisa Vaas is News Editor/Operations for and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel