Can a Rootkit Be Certified for Vista?

By Lisa Vaas  |  Posted 2007-03-15

Can a Rootkit Be Certified for Vista?

NEW YORK—Forget what Microsoft says about Vista being the most secure version of Windows yet. More to the point, what do the hackers think of it?

In a nutshell, they think its an improvement, but at the end of the day, its just like everything else they dissect—that is, breakable.

"Not all bugs are being detected by Vista," pointed out famed hacker H.D. Moore. "Look at how a hacker gets access to the driver: Right now Im working on Microsofts automated process to get Metasploit-certified. It [only] costs $500."

Moore is the founder of the Metasploit Project and a core developer of the Metasploit Framework—the leading open-source exploit development platform—and is also director of security research at BreakingPoint Systems. The irony of his statement lies in the idea that Vista trusts Microsoft-certified programs—programs that can include a hacker exploit platform that walks through the front door for a mere $500 and a conveyor-belt approval process.

Moore was one of a handful of white-hat hackers in the audience of a session on Vista security here at Ziff Davis Enterprises 2007 Security Summit on March 14. The session, titled "Vista: How Secure Are We?," was presented by David Tan, co-founder and chief technology officer at CHIPS Computer Consulting.

By Moores side were equally prestigious hackers Joanna Rutkowska—security researcher at COSEINC—and Jon "Johnny Cache" Ellch, author of "Hacking Exposed Wireless."

For her part, Rutkowska granted that yes, one way to own a Vista system is by getting a rootkit certified, but if you want a compromised system, you dont even have to waste your time and money with certification—"It can be a graphics card with a stupid bug," she said. "You cant do anything about it. You cant sue the vendor for introducing a bug. You cant prove it was done intentionally."

Until Microsoft or some security vendor concocts a black list for buggy drivers, Rutkowska said, Vista is potential toast. Of course, bugs can always be detected in memory, right? Except—oops!—Rutkowska demonstrated a few weeks ago at Black Hat that exploits can in fact tinker with memory to hide their footprints.

Click here to read more about kernel rootkits.

But before the hackers, and Tan himself, pointed out Vistas security weak points, Tan outlined the improvements to the new operating systems security features. He praised Microsofts Trustworthy Computing initiative and the companys reshaped development cycle for the "phenomenal effort" that has produced products such as SQL Server 2005—a version of the database that to date hasnt had a single major vulnerability or exploit attached to it. "Microsoft deserves to be applauded for that," he said.

In keeping with that improved attention to security, Microsoft has added a slew of security features to Vista in the two areas you need to worry about in a client operating system, Tan said: namely, protecting the system and protecting data.

Those features include UAC (User Access Control), a feature that forces users to work in restricted accounts instead of with the rights of system administrators that they had traditionally been granted in previous Windows versions. UAC is active by default for all users—although it can be turned off—and even administrator accounts only get medium-integrity level rights in Vista.

UAC has been criticized on the basis of the debatable annoyance level pertaining to its warning boxes, which pop up in colors (orangey-red for caution, bluish-green for safe) and ask users if they really want to proceed with given actions. Rutkowska kicked off the criticism of UAC when she wrote in her blog that, although UAC is "the most important security mechanism introduced in Vista," it "can be bypassed in many ways."

Rutkowskas observations were soon followed by Symantec research scientist Ollie Whitehouses Feb. 20 posting titled "An Example of Why UAC Prompts in Vista Cant Always Be Trusted," due to the ease in which social engineering can be used to trick users into approving illicit user privilege escalation.

Next Page: Microsofts attitude problem.


During his presentation, Tan voiced concern that frequent UAC consent dialog boxes will blend together to create a "click here to get work done" attitude. "Frequent UAC consent dialog boxes—will this force users to turn off the function?" he said. "Users will eventually get annoyed with it if it impacts their normal day-to-day activity."

However, Rutkowska said she was bewildered at the frequent arguments that the boxes are annoying. "Ive been using Vista two months now," she said, and within a few days of installation, shes rarely presented with a UAC dialog box. "I think UAC, from a technical point of view, is a very good thing," she said. "For normal users, this is [a good security mechanism]."

One thing Rutkowska said she doesnt like, however, is Microsofts attitude. After the UAC criticisms started making the rounds, Microsoft began to stress that UAC is not a hard security boundary, like a firewall—rather, its more of a guidance tool.

Unfortunately, that attitude means that Microsoft wont consider potential avenues of attack to be bugs, Rutkowska pointed out. "[Illicitly] elevating from low- to high-level [user privileges] wont be considered a security bug," she said—when in fact such escalation is a good indication that a machine has been compromised.

Another feature that protects the system in Vista is Windows Defender, included previously as a separate Windows download. Defender detects and removes any unwanted application, actively monitoring protected areas. The feature is integrated with group policy and thus works with Active Directory.

Another system-protecting feature is Vistas new Windows Firewall, which expands on the firewall included in Windows XP SP2 but improves on it by offering two-way protection. The earlier version didnt offer outbound infection—an omission that meant an infected machine wouldnt be stopped from spreading a virus outside of the network.

The final system protection feature added to Vista is Windows Security Center, which checks and displays the status of the Firewall, automatic updates, malware protection (Windows Defender) and other security settings, including third-party security software such as anti-virus programs.

Tan also criticized Vistas recognition of installation programs, which checks compatibility databases, heuristics and a programs embedded manifest—which declares to an operating system what it is. The potential dangers of Vistas handling of installers, Tan said, is that all installers run with administrative privileges, have full access to the file system and registry, and have the ability to load kernel drivers.

"As soon as you click OK, that application has complete administrative capabilities, including downloading and installing rootkits," he said.

Tan also criticized Internet Explorer 7 for its lack of Protected Mode in the versions that dont run on Vista. Protected Mode makes the browser run in a sandbox—i.e., it has limited read access to system components and cant download Trojans or spyware from malicious sites.

eWEEK Labs Jim Rapoza called Protected Mode "by far the best value-add of IE 7+." Click here to read the review.

That accounts for new system protection in Vista. As for data protection, the new operating system comes with BitLocker Drive Encryption—a feature that encrypts the entire Windows volume, protecting against data being stolen when a laptop is stolen or lost. Tans only criticism of that feature was that its available in only the Enterprise and Ultimate versions of Vista and is lacking in the Business version.

Other data protection features in Vista include EFS (Encrypting File System), used to encrypt files and folders; Rights Management Services, used to encrypt files persistently so they cant be e-mailed outside of the organization without proper server permissions; and Device Control, which enables better management of plug-and-play devices such as USB drives.

Tan also touched on PatchGuard, which locks down the kernel completely but also locks out some third-party applications, including anti-virus programs. Besides the ire that this drew from security software vendors, PatchGuard was actually cracked soon after Vistas introduction.

Other flawed security solutions in Vista include Windows Defenders lackluster performance, blocking a mere 47 percent of spyware in quick-scan mode in anti-virus testing. OneCare also fell "well short" in Virus Bulletins VB100 test and flunk AV-Comparatives test altogether.

"So Microsoft definitely still has some work to do in those areas," Tan said. Besides all that, a critical remote code execution bug in Vistas vector markup language was released on Jan. 9; in testing of Vistas strength against legacy exploits, Vista was found to have exploits that would survive exploits in every category except rootkits; key enhancements to Vista security are only available on 64-bit platforms; and you need new hardware platforms to fully support Vista, Tan said.

Cumulatively, it sounds bad, Tan said, but hackers and Tan agreed: significant strides have been made in securing Vista. "Its a security evolution, not a revolution," Tan said. "Vista is not a security solution—it is a more a secure version of Windows."

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.

Rocket Fuel