Debunking the "Blue Pill" Vulnerability Theory

In the weeks since Black Hat, the "Blue Pill" vulnerability demonstration continues to raise concerns about the security of Windows Vista. But is this something Windows admins should be alarmed about? Jonathan Hassell lays out the facts about the exploit, explains who should and should not care, and why.

Two months after Joaana Rutkowska's "Blue Pill" security vulnerability demonstration at the Black Hat Conference in Las Vegas, security mavens are still debating whether this vulnerability is indeed legitimate or even if Windows Vista's code is actually the problem. Let's take a look at the facts.

  • The presentation demonstrated how a user with administrative privileges over an x64-based machine could attempt to place unsigned (unverified) code directly into the Windows Vista kernel.
  • The exploit functions by creating an undetectable virtual machine into which, theoretically, malware—most likely a rootkit—could be executed. In Rutkowska's example, this "malware" was unsigned code that eventually made it into the Vista kernel, without rebooting the machine.
  • A crucial part of Rutkowska's demonstration was an alleged weakness in the AMD Pacifica SVM technology, which is a virtualization capability offered in 64-bit AMD processors. To quote Rutkowska on her blog, "I would like to make it clear, that the Blue Pill technology does not rely on any bug of the underlying operating system. I have implemented a working prototype for Vista x64, but I see no reasons why it should not be possible to port it to other operating systems, like Linux or BSD which can be run on x64 platform."
  • There is discussion and debate about whether Intel's virtualization technology is vulnerable, and if so, to what degree as compared with AMD's technology.
  • The exploit in the end requires administrative access to the machine, a privilege threshold that, when achieved, allows all sorts of activities, both legitimate and illegitimate, that could potentially weaken or destroy the integrity of a system.
  • X64 versions of Windows Vista, by default, require drivers to be signed before installation. This purpose of this requirement is to thwart potential attacks as well as improve system reliability. After all, buggy drivers that are signed basically have a business card with the developers' information on it, making resolution much easier.
  • Microsoft is investigating this exploit to determine whether modification to Vista's security mechanisms are necessary. In fact, Austin Wilson of Microsoft says, "we already have our teams combing through information to make Windows Vista even better because of [the Black Hat conference]."

The fact that this exploit even occurred is alarming. But exactly who should it alarm? Windows system administrators? Those thinking of running Windows Vista x64? Or all administrators? I believe it's something we all should be concerned with.

More on the Blue Pill attack

Anatomy of the Blue Pill attack
What a ruckus there was at the demonstration of the Blue Pill attack on Windows Vista at Black Hat this year. Find out how it works and whether you should care about it.
A fundamental tenet of computer security is that a user with administrative powers can do a lot to a machine -- including format an entire hard drive. This tenet is why privilege escalation attacks are so problematic. But in this particular "blue pill" exploit, there was no privilege exploit. And the chances of someone obtaining remote access to a machine, using administrative privileges, and being able to successfully pull off this exploit are very slim. In fact, no one has done so yet.

So has Windows Vista security been blown away? Has all the work the development team put into the product been for naught? Absolutely not. The response to Windows Vista's security at Black Hat was actually quite positive, which is saying something significant when you consider the typical makeup of the audience at the conference—they're hardly Microsoft apologists.

Good things are happening when it comes to security in Vista. Don't let this "blue pill" business make you think otherwise.

About the author: Jonathan Hassell is author of Hardening Windows (Apress LP) and is a site expert. Hassell is a systems administrator and IT consultant residing in Raleigh, N.C., who has extensive experience in networking technologies and Internet connectivity. He runs his own Web-hosting business, Enable Hosting. His previous book, RADIUS (O'Reilly & Associates), is a guide to implementing the RADIUS authentication protocol and overall network security. Ask Hassell a hardening Windows question today.

Dig Deeper on Windows applications

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.