Microsoft Watches Vista Get Own3d

Microsoft security chief Ben Fathi responds to a demo of a new technique used to plant an offensive rootkit in Vista.

Ben Fathi slipped into the darkened, packed conference room and took a seat on the carpeted floor.

On the Black Hat stage, malware researcher Joanna Rutkowska, of Coseinc, was discussing a new technique that could plant an offensive rootkit in Windows Vista, Microsofts "most secure ever" operating system.

As corporate vice president for Microsofts Security Technology Unit, it is Fathis responsibility to deliver on Vistas security promise, and Rutkowskas claim—complete with live demo—that a key anti-rootkit feature can be easily defeated could be a public relations nightmare.

But Fathi was unperturbed. He paid close attention to Rutkowskas slides and didnt even flinch when the room erupted in applause as the demo succeeded in loading unsigned code into Vista Beta 2 kernel (x64), without requiring a reboot.

"This is the reason were here—to see the advancements in research and work closely with [white hat hackers] to figure out whats working and whats not working," Fathi told eWeek. "Its beta software that will have bugs. That [attack scenario] has already been fixed in later builds," he said.

Rutkowska described how scripts can be used to allocate excess amounts of memory to a process, forcing the target system to page out unused code and drivers. At this stage, Rutkowska showed how shell code could be executed inside one of the unused drivers, completely defeating the new device driver signing policy being implemented in Vista to allow only digitally signed drivers to load into the kernel.

Fathi did not say how Microsoft had fixed the issue in later Vista builds, but he received plenty of advice and recommendations from Rutkowska.