Free utility tool circumvents Vista kernel defenses

The security defenses put in place by Microsoft to protect its Windows Vista kernel from non-digitally-signed code can now be easily circumvented with the release of a free utility tool, according to researchers at Symantec.

A new software tool, named Atsiv, released by Australian developer LinchpinLabs, allows the loading of unsigned and legacy drivers into the kernel.

Microsoft earlier ruled out to accept and load only digitally-signed code into its Vista kernel. Drivers must be accompanied by a signed certificate from issuing authorities recognized by Microsoft before they can be loaded properly. However, this doesn’t limit users from loading unsigned or legacy driver under a limited functionality mode.

Ollie Whitehouse, an architect with Symantec’s advanced threats research team, disclosed that they were able to load unsigned code into the Vista kernel using Atsiv.

“[Atsiv's] command line tool loads [its own] appropriate driver, which then in turn allows loading of unsigned drivers due to the implementation of their PE loader,” Whitehouse told Computerworld.

However, in the course of using the tool, Atsiv failed to update the PsLoadedModuleslist to make the newly added unsigned driver visible in the standard drivers list.

“This is rootkit-type behavior,” said Whitehouse.

Whitehouse has suggested that the only way Microsoft can enforce the ban on unsigned kernel code is to revoke the certificate.

But whether or not Microsoft would revoke the certificate used by Atsiv, the big questions still remained. What keep hackers from creating Atsiv-like programs? What keep hackers from making their malicious code digitally sign?

• 

• Microsoft blocks Vista kernel hacking tool
• Microsoft tightens Vista kernel defenses, updates PatchGuard
• Purple Pill beats Windows Vista’s 64-bit driver authentication
• Microsoft’s Vista PatchGuard updates not connected to kernel hacks
• Microsoft revokes digital certificates on freeware Vista program