Symantec Report IDs Holes in Vista Kernel SecurityBy Matt Hines | Posted 2006-08-09 Email Print
Re-Thinking HR: What Every CIO Needs to Know About Tomorrow's Workforce
While praising many of the tactics that Microsoft has employed to increase kernel-level security in existing iterations of its next-generation Vista operating system, Symantec maintains that a small number of loopholes remain that could leave the product
Anti-virus market leader Symantec has published its third and final report in a series of studies meant to examine the security improvements being made by Microsoft in early versions of its Vista operating system; while lauding the software maker's efforts to lock down the kernel of the next-generation Windows OS, the security company did find several shortcomings.
As with Symantec's two previous reports, researchers at the company dissected portions of the beta versions of Vista already shared with the public by Microsoft.
The earlier reports, which studied networking and account privilege management features of Vista, respectively, broadly questioned Microsoft's ability to execute some of its security-oriented development efforts.
The third report provides mainly positive feedback for the software giant, but still includes a pair of criticisms.
The latest report hands out praise for much of Microsoft's kernel-related work, which includes the addition of driver signing requirements, the company's PatchGaurd anti-patching technology, kernel-mode code integrity checks, optional support for a secure boot mode, and use of restricted user-mode access to a Vista desktop's physical memory.
Symantec observed that there is substantial value in the enhancements, which are largely aimed at preventing unsigned code from being injected into the Vista kernel, and establishing a virtual "chain-of-trust" from the time a Vista PC boots until its applications are launched.
On the whole, the changes will improve security of the Vista kernel "significantly" compared to earlier iterations of the OS, according to the report, even when the Microsoft software is compared to products that have long claimed to be more secure than Windows, including Linux systems or Apple's Mac OS X.
However, among the positives identified by Symantec, the research report highlighted a pair of perceived shortcomings which could still leave the Vista kernel at risk if exploited.
In both instances, Symantec researchers pointed out flaws in the driver signing technology that Microsoft has added to the kernel.
The most common mechanism for delivering malicious code into the Windows XP kernel is through a driver, typically installed on an end user's machine without his or her knowledge by a Web site or online banner advertisement.
In Vista, all such drivers must be authorized to download via an authorized code signing certificate, which must be provided by a trusted source such as Microsoft or VeriSign.
While the process should eliminate the threat previously posed by malicious drivers aimed at the kernel, as long as Microsoft keeps unauthorized sources from obtaining the certificates, Symantec said that it is possible to disable the driver signing and code integrity capabilities by using binary patches on the operating system's WINLOAD.EXE and CI.DLL files.
The security company said that patching the files at runtime to exploit the issue is quite straightforward, with each file requiring patching at just a single location. And despite the fact that the files are protected by the WRP (Windows Resource Protection), the files can be altered relatively easily, according to the report.
The second issue, revolving around the lack of certificate revocation support in WINLOAD.EXE, can "easily undermine" the advantages of driver signing if the legitimate software publishing certificate of a company is stolen, published or misused by another party, specifically a former or disgruntled employee.
Once the driver signing checks have been disabled, a malicious unsigned driver can be loaded, the researchers said.
However, Symantec pointed out that Microsoft has promised that certificate revocation will be available in the Release Candidate 1 version of the software, due out sometime in early 2007.
Next Page: Responding to reports.
In response to the reports, Microsoft has maintained that the security researchers should not assume that any problems they find in the beta versions of Vista will remain there when the final product ships sometime in 2007.
Symantec has also credited Microsoft with making consistent progress with each version of the software it has released publicly thus far.
Microsoft officials said in a statement that any beta versions of Vista will include issues that will be addressed in later releases and that it welcomes feedback from partners, including Symantec.
However, the company called it "unusual" for a partner to provide such a large amount of analysis, and publish its findings, on beta products.
The version of Vista that Symantec has studied was released in February 2006, and many of the problems highlighted by the reports have already been fixed, the company claims.
"We are continuing to make changes to Windows Vista security technologies as a result of ongoing analysis from both Microsoft and third parties," the company said in its statement. "Many of these changes will be implemented for the [Release Candidate 1] release."
The seeming discord over the manner in which Symantec has called out beta versions of Vista may point to growing tensions between the two companies as Microsoft moves aggressively into the security market.
Among the security tools that will be bundled along with Vista are anti-malware applications that serve the same purpose as some of Symantec's core aftermarket products, and the two firms are also increasingly competitive in the enterprise security space.
However, it is also clear that there are remaining security issues in Vista, and specifically related to the kernel.
At the Black Hat security conference in Las Vegas on Aug. 2, malware researcher Joanna Rutkowska of COSEINC, displayed a new technique that could be used to plant an offensive rootkit in Vista.
In a room packed with conference attendees and even Microsoft's top security guru, Ben Fathi, corporate vice president for its STU (Security Technology Unit), Rutkowska succeeded in loading unsigned code into Vista Beta 2 kernel, without requiring a reboot.
Despite watching the product be assailed successfully, Fathi said that Microsoft is making headway, including with the help of such demonstrations.
"This is the reason we're here. To see the advancements in research and work closely with these guys [white hat hackers] to figure out what's working and what's not working," Fathi said in an interview with eWEEK immediately after the presentation.
"We've already fixed that path [of attack] It's beta software that will have bugs. That [attack scenario] has already been fixed in later builds," Fathi said.
Check out eWEEK.com's for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.