Two months after Joaana Rutkowska's "Blue Pill" security vulnerability demonstration at the Black Hat Conference in Las Vegas, security mavens are still debating whether this vulnerability is indeed legitimate or even if Windows Vista's code is actually the problem. Let's take a look at the facts.
- The presentation demonstrated how a user with administrative privileges over an x64-based machine could attempt to place unsigned (unverified) code directly into the Windows Vista kernel.
- The exploit functions by creating an undetectable virtual machine into which, theoretically, malware—most likely a rootkit—could be executed. In Rutkowska's example, this "malware" was unsigned code that eventually made it into the Vista kernel, without rebooting the machine.
- A crucial part of Rutkowska's demonstration was an alleged weakness in the AMD Pacifica SVM technology, which is a virtualization capability offered in 64-bit AMD processors. To quote Rutkowska on her blog, "I would like to make it clear, that the Blue Pill technology does not rely on any bug of the underlying operating system. I have implemented a working prototype for Vista x64, but I see no reasons why it should not be possible to port it to other operating systems, like Linux or BSD which can be run on x64 platform."
- There is discussion and debate about whether Intel's virtualization technology is vulnerable, and if so, to what degree as compared with AMD's technology.
- The exploit in the end requires administrative access to the machine, a privilege threshold that, when achieved, allows all sorts of activities, both legitimate and illegitimate, that could potentially weaken or destroy the integrity of a system.
- X64 versions of Windows Vista, by default, require drivers to be signed before installation. This purpose of this requirement is to thwart potential attacks as well as improve system reliability. After all, buggy drivers that are signed basically have a business card with the developers' information on it, making resolution much easier.
- Microsoft is investigating this exploit to determine whether modification to Vista's security mechanisms are necessary. In fact, Austin Wilson of Microsoft says, "we already have our teams combing through information to make Windows Vista even better because of [the Black Hat conference]."
The fact that this exploit even occurred is alarming. But exactly who should it alarm? Windows system administrators? Those thinking of running Windows Vista x64? Or all administrators? I believe it's something we all should be concerned with.
So has Windows Vista security been blown away? Has all the work the development team put into the product been for naught? Absolutely not. The response to Windows Vista's security at Black Hat was actually quite positive, which is saying something significant when you consider the typical makeup of the audience at the conference—they're hardly Microsoft apologists.
Good things are happening when it comes to security in Vista. Don't let this "blue pill" business make you think otherwise.
About the author: Jonathan Hassell is author of Hardening Windows (Apress LP) and is a SearchWindowsSecurity.com site expert. Hassell is a systems administrator and IT consultant residing in Raleigh, N.C., who has extensive experience in networking technologies and Internet connectivity. He runs his own Web-hosting business, Enable Hosting. His previous book, RADIUS (O'Reilly & Associates), is a guide to implementing the RADIUS authentication protocol and overall network security. Ask Hassell a hardening Windows question today.