Vista, Rootkits Headline Hacker Confab

Black Hat Briefings: Microsoft plans to showcase Vista as its "most secure operating system ever," but independent researchers worry that the hacker powwow is being reduced to a glorified product demo.

For Microsoft, the coming days of Black Hat Briefings hacker scrutiny in Las Vegas could make or break its claim that Windows Vista is the "most secure operating system ever."

The software maker will use the August 2-3 security conference to showcase a wide range of security features and functionality being fitted into the successor to Windows XP.

But even as the Redmond, Wash., companys hype machine swings into high gear, independent researchers worry that the venerable hacker powwow is being reduced to a glorified product demo for a rich sponsor.

"Youre not going to learn much from a Microsoft talk. Theyre basically there to do a Vista demo and tell the IT guy that theyve made it harder to break," said Marc Maiffret, chief hacking officer at eEye Digital Security, in Aliso Viejo, Calif.

For Maiffret and other Black Hat Briefings veterans, the inclusion of Microsoft on the agenda—an entire day of tracks dedicated to Vista security—dilutes a conference known for the controversial release of zero-day exploits and hacking tools, discussions on novel software cracking techniques and lively debates on flaw disclosure, privacy, defense mechanisms and industry trends.

"Itll be interesting to see how far Microsoft will go to market Vista, but I dont think anyones going there to listen to Microsoft talk about how great a job they did," Maiffret said in an interview with eWEEK.

/zimages/5/28571.gifMicrosoft has a big date set with "Black Hat" hackers. Click here to read more.

Microsoft has spared no expense in the last few years to convince the world that security is its No. 1 priority, and the Black Hat appearance—which includes a security researcher appreciation party in the swanky Palms Casino hotel—could turn into a very tricky challenge.

If the four "deeply technical" Vista presentations turn into a security infomercial, Microsoft runs the risk of alienating the very people it needs to impress.

The mission is straightforward, but crucial: to convince some of the smartest hackers in the world that Windows Vista, the first end-to-end major operating system release in the Trustworthy Computing era, has been truly re-engineered to foil malicious attackers.

Microsofts presentations promise a comprehensive overview of the security engineering process behind Vista; an explanation of the way the operating system will handle support for 802.11 wireless technologies; an introduction to a re-architected and rewritten TCP/IP stack; and the way Vistas heap manager has been hardened to thwart heap usage attacks.

Ironically, on the same day of Microsofts Vista track, a security researcher with expertise in rootkits is scheduled to display a new technique for defeating Vistas new device driver signing feature to load a rootkit on the new operating system.

Joanna Rutkowska, a stealth malware researcher at Singapore-based IT security firm Coseinc, said her presentation will cover how to insert arbitrary code into the latest Vista Beta 2 kernel (x64 edition) without requiring a system reboot.

The technique bypasses a new policy implemented by Microsoft to only allow digitally signed drivers to load into kernel.

Rutkowska will also demo the first working prototype of "Blue Pill," a new technology that she claims can create "100 percent undetectable malware" by moving the target operating system into a secure virtual machine on the fly.

"The phrase on the fly is the most important thing about Blue Pill—it makes it possible to install a Blue Pill-based malware without restarting the system and without any BIOS or boot sector modifications," Rutkowska explained in her aptly titled Invisible Things blog.

Networking gear vendor Cisco Systems, of San Jose, Calif., also plans to use this years conference to repair its image with the hacking community after the debacle in 2005 when ISS X-Force analyst Michael Lynn resigned on the spot to demonstrate the first-ever example of exploit shellcode in Cisco IOS, a presentation that led to a major legal tussle.

Like Microsoft, Cisco is listed as a platinum sponsor this year, but the companys products will still be the focus of new vulnerability research.

/zimages/5/28571.gifVM rootkits: the next big threat? Click here to read more.

Two talks on the schedule will focus on easy-to-bypass flaws in NAC (Network Admission Control) VOIP technologies embedded in widely used embedded devices, including those sold by Cisco.

Security researchers at SPI Dynamics, of Atlanta, Ga., plan to pinpoint vulnerabilities in the way RSS clients implement XML feeds.

The talk, entitled Zero Day Subscriptions, will show how RSS and Atom feeds can be used to deliver malicious exploits to client systems.

"There are many [RSS readers], local and Web-based, that arent thinking about all possible attack scenarios. Well show how the feed readers can be used to deliver malicious code using RSS," Caleb Sima, SPI Dynamics chief technology officer and co-founder, told eWEEK in an interview.

Jeremiah Grossman, CTO of WhiteHat Security in Santa Clara, Calif., plans to share research findings on invisible JavaScript exploit code capable of hijacking cookies, capturing keyboard strokes and monitoring Web site visits.

/zimages/5/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.