Can a Rootkit Be Certified for Vista?

A roomful of hackers, CIOs and CSOs agree that Microsoft's given us the most secure version of Windows yet, but their approval is served up with a garnish of "excepts," "howevers" and "althoughs."

NEW YORK—Forget what Microsoft says about Vista being the most secure version of Windows yet. More to the point, what do the hackers think of it?

In a nutshell, they think its an improvement, but at the end of the day, its just like everything else they dissect—that is, breakable.

"Not all bugs are being detected by Vista," pointed out famed hacker H.D. Moore. "Look at how a hacker gets access to the driver: Right now Im working on Microsofts automated process to get Metasploit-certified. It [only] costs $500."

Moore is the founder of the Metasploit Project and a core developer of the Metasploit Framework—the leading open-source exploit development platform—and is also director of security research at BreakingPoint Systems. The irony of his statement lies in the idea that Vista trusts Microsoft-certified programs—programs that can include a hacker exploit platform that walks through the front door for a mere $500 and a conveyor-belt approval process.

Moore was one of a handful of white-hat hackers in the audience of a session on Vista security here at Ziff Davis Enterprises 2007 Security Summit on March 14. The session, titled "Vista: How Secure Are We?," was presented by David Tan, co-founder and chief technology officer at CHIPS Computer Consulting.

By Moores side were equally prestigious hackers Joanna Rutkowska—security researcher at COSEINC—and Jon "Johnny Cache" Ellch, author of "Hacking Exposed Wireless."

For her part, Rutkowska granted that yes, one way to own a Vista system is by getting a rootkit certified, but if you want a compromised system, you dont even have to waste your time and money with certification—"It can be a graphics card with a stupid bug," she said. "You cant do anything about it. You cant sue the vendor for introducing a bug. You cant prove it was done intentionally."

Until Microsoft or some security vendor concocts a black list for buggy drivers, Rutkowska said, Vista is potential toast. Of course, bugs can always be detected in memory, right? Except—oops!—Rutkowska demonstrated a few weeks ago at Black Hat that exploits can in fact tinker with memory to hide their footprints.

/zimages/3/28571.gifClick here to read more about kernel rootkits.

But before the hackers, and Tan himself, pointed out Vistas security weak points, Tan outlined the improvements to the new operating systems security features. He praised Microsofts Trustworthy Computing initiative and the companys reshaped development cycle for the "phenomenal effort" that has produced products such as SQL Server 2005—a version of the database that to date hasnt had a single major vulnerability or exploit attached to it. "Microsoft deserves to be applauded for that," he said.

In keeping with that improved attention to security, Microsoft has added a slew of security features to Vista in the two areas you need to worry about in a client operating system, Tan said: namely, protecting the system and protecting data.

Those features include UAC (User Access Control), a feature that forces users to work in restricted accounts instead of with the rights of system administrators that they had traditionally been granted in previous Windows versions. UAC is active by default for all users—although it can be turned off—and even administrator accounts only get medium-integrity level rights in Vista.

UAC has been criticized on the basis of the debatable annoyance level pertaining to its warning boxes, which pop up in colors (orangey-red for caution, bluish-green for safe) and ask users if they really want to proceed with given actions. Rutkowska kicked off the criticism of UAC when she wrote in her blog that, although UAC is "the most important security mechanism introduced in Vista," it "can be bypassed in many ways."

Rutkowskas observations were soon followed by Symantec research scientist Ollie Whitehouses Feb. 20 posting titled "An Example of Why UAC Prompts in Vista Cant Always Be Trusted," due to the ease in which social engineering can be used to trick users into approving illicit user privilege escalation.

Next Page: Microsofts attitude problem.