VISTA.BLORGE
TECH.BLORGE.com
MAC.BLORGE.com
GAMER.BLORGE.com

August 4, 2007 |

Microsoft blocks Vista kernel hacking tool

By Jonathan Schlaffer





Microsoft blocks Vista kernel hacking tool Previously we reported on a similar tool that would bypass Vista’s kernel protection to allow the installation of unsigned drivers that could possibly contain a rootkit.  Microsoft has now released Windows defender updates to remove and block the threat.

The company has blocked the application Atsiv which bypasses a security feature in the 64-bit version of Vista.  Under normal circumstances, a driver must be signed in order to be installed in the 64-bit version of Vista, it is easier to install an unsigned driver in the 32-bit versions.

Astiv bypasses this checking process by loading its own signed driver but then allows the installation of unsigned drivers to be loaded through its portable executable (PE) loader.  The PE loader contains data necessary for the Vista loader to manage wrapped code.

Ollie Whitehouse from Symantec research told ZDnet, “The [Atsiv] driver isn’t malicious in itself, but it could allow malicious code into the kernel. It’s punching a big hole through the wall and allowing everything else to climb through.”

Astiv not only allows unsigned drivers to be loaded but the side effect of using its own PE loader is that it is not in Microsoft’s standard driver list which is rootkit behavior, according to Whitehouse.

Microsoft responded to Astiv by releasing a Windows Defender update on August 2, 2007 that allows blocking, detection and removal of the current Astiv version.  Microsoft’s digital signing partner, VeriSign, has revoked Astiv’s credentials which means the Astiv driver will no longer be considered valid.

The makers of Astiv claim that no malicious behavior was intended and claim the software to be safe.

Related:
  • Free utility tool circumvents Vista kernel defenses
  • Microsoft revokes digital certificates on freeware Vista program
  • Vista SP1 updates operating system kernel
  • Microsoft’s Vista PatchGuard updates not connected to kernel hacks
  • AMD releases ATI Vista driver patch


    • Sign up for the BLORGE email newsletter

    Entry was posted on Saturday, August 4th, 2007 at 5:42 am under AntiSpyware, Microsoft, Security, Vista, Windows Defender. Print This Post Print This Post

    Read more entries by Jonathan Schlaffer.
    StumbleUpon Toolbar Stumble It!

    3 Responses to “Microsoft blocks Vista kernel hacking tool”

    1. Who Knows News :: Microsoft News:
      August 4th, 2007

      [...] loader is that it is not in Microsoft’s standard driver list which is rootkit behavior, according.Microsoft blocks Vista kernel hacking tool [...]

    2. Microsoft revokes digital certificates on freeware Vista program - VISTA.BLORGE.com:
      August 7th, 2007

      [...] Microsoft blocks Vista kernel hacking tool [...]

    3. Kaizenlog » Microsoft 05/08/2007:
      September 27th, 2007

      [...] Microsoft blocks Vista kernel hacking tool By Jonathan Schlaffer Astiv not only allows unsigned drivers to be loaded but the side effect of using its own PE loader is that it is not in Microsoft’s standard driver list which is rootkit behavior, according to Whitehouse. Microsoft responded to Astiv by … VISTA.BLORGE.com - http://vista.blorge.com/ [...]

    Leave a Reply:

    Copyright © 2007 Engaging and compelling blogs that entertain and inform