A Blue Pill has been stirring up talk lately about the hardening of Windows Vista. No, I'm not talking about Viagra. Rather, security researcher Joanna Rutkowska's Blue Pill attack, a malware exploit introduced recently that has gotten the attention of Microsoft and the security community. So, what exactly is this exploit and what can be done about it? Read on.
It used to be that researchers and attackers were looking at Windows exploits at a much higher level. Null sessions, weak share permissions, Registry hacking and password cracking were the bomb a few years back. Now, with the Blue Pill attack -- and arguably many more to come -- Microsoft is seeing that interested parties in the security community are taking things up a few notches.
All in all, the Blue Pill discovery is fascinating. Certainly a lot of smart minds are thinking of ways that hardware and software can be manipulated to keep software vendors and processor manufacturers on their toes (Intel included, since this type of attack could affect its virtualization technology, too). Obviously, Microsoft, AMD and the anti-malware vendors still have some work to do, and undoubtedly there will be more virtualization hacks.
End of our virtual worlds?
Should you avoid the 64-bit AMD processors that support SVM? Do you disable SVM in your systems' BIOS? Do you stay away from virtualization technologies altogether? Do you not deploy Vista? Do you wait until your anti-malware vendor comes up with a solution?
The simple answer to all those questions is a resounding no. First of all, the Blue Pill attack is more of a proof of concept that operating systems are never going to be completely bulletproof -- at least not as long as humans are involved. Furthermore, a lot of things have to fall into place in just the right fashion (including administrator-level access) for the Blue Pill exploit to even be possible.
I think we've got much bigger problems to be worried about than a malware weakness affecting a pre-release version of an operating system written for one specific processor architecture that requires administrator access, and won't even survive a reboot! If we can ever get past human laziness and oversight leading to default OS configurations, weak passwords, missing patches, minimal file access controls, Web applications that don't validate input and so on, then (and only then) should we worry about security flaws such as this one making a huge impact in our environments. It's a hard pill to swallow, but we've got to fix the basics first if security's ever going to be improved.
About the author: Kevin Beaver, an independent information security consultant and expert witness with Atlanta-based Principle Logic, LLC, spent six long years obtaining his degree in computer engineering, which included a lot of Blue Pill-like bit and byte manipulation. He has more than 18 years of experience in IT and specializes in performing information security assessments regarding compliance and IT governance. Kevin has written six books, including Hacking For Dummies (Wiley), Hacking Wireless Networks For Dummies, and The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He can be reached at email@example.com.
This was first published in October 2006