Microsoft tightens Vista kernel defenses, updates PatchGuard

Microsoft seems to be working hard to improve its Windows Vista Patch Protection defenses, with the company issuing an updated PatchGuard.

The updated PatchGuard is available as a high-priority download through Windows Update.

According to an advisory posted on Microsoft Security Response Center (MSRC): “The update does increase the reliability, performance, and resiliency provided by Kernel Patch Protection.”

The advisory further clarified that “while this updates adds additional checks to the Kernel Patch Protection system, it does not involve security vulnerability”.

At the recent Black Hat conference, Joanna Rutkowska, security researcher and founder of Invisible Things Lab, said that the underlying security problem of Windows Vista is the lack of kernel protection – a problem that isn’t likely to be resolved anytime soon.

Since then, two utilities have circumvented a crucial Vista kernel security feature that requires drivers to be signed by a valid digital certificate. Both utilities piggybacked unsigned code onto a signed driver to get past Vista’s defenses and into the kernel.

The Astiv utility bypasses this checking process by loading its own signed driver but then allows the installation of unsigned drivers to be loaded through its portable executable (PE) loader. Astiv’s digital certificate was later revoked by Microsoft ,and the company has released Windows Defender updates to remove and block the threat.

Another utility software, Purple Pill, that can by-pass the new anti-rootkit/anti-DRM defense mechanism built into the 64-bit Vista kernel has been released recently. This utility software exploited the earlier reported ATI driver flaw to patch Vista kernel to turn off certain checks for signed drivers, which meant that any malicious rootkit authors could piggyback on ATI’s legitimately signed driver to tamper with the Vista kernel.

However, days after the Purple pill released, AMD releases its patch for the ATI Catalyst drivers to remove the possibility of them being used as an attack vector.

Knowing that simply blocking certain drivers’ access to the Vista kernel is not scalable, and that waiting for third party drivers to get fixed is not reliable, Microsoft seems to be on the right track by “beefing up” its Vista Patch Protection defenses.

• Free utility tool circumvents Vista kernel defenses
• Microsoft’s Vista PatchGuard updates not connected to kernel hacks
• Microsoft blocks Vista kernel hacking tool
• Purple Pill beats Windows Vista’s 64-bit driver authentication
• AMD releases ATI Vista driver patch