More on Joanna Rutkowska Blue Pill and the New Vista

so, blue pill no longer works on vista. well, that’s too bad. after talking to a few friends of mine, i decided writing a bit more about this.

the main question following this news is: does that mean we are now secure?

the answer, plain and simple, is no.

why?

1. there are other rootkit and trojan horse technologies.
2. this did not solve the problem, it just made sure a driver would have to be loaded to make it work. as a rootkit is being installed, i don’t see this as much of a set-back.

what it is a set-back for, is legitimate software development. as an example, a hex editor. the devlopers would have to create a driver for this purpose specifically. i can see how this can become an issue for a lot of the software out there which needs to access the drive. now they can’t.

a driver will be written and released for bad guys to use with their backdoor tools.

to quote joanna on this issue, from the same blog:

imagine a company wanting to release e.g. a disk editor. now, with the blocked write access to raw disk sectors from usermode, the company would have to provide their own custom, but 100% legal, kernel driver for allowing their, again 100% legal, application (disk editor), to access those disk sectors, right? of course, the disk editor’s auxiliary driver would have to be signed – after all it’s a legal driver, designed for legal purposes and ideally having neither implementation nor design bugs! but, on the other hand, there is nothing which could stop an attacker from “borrowing” such a signed driver and using it to perform the pagefile attack. the point here is, again, there is no bug in the driver, so there is no reason for revoking a signature of the driver. even if we discovered that such driver is actually used by some people to conduct the attack!

but it seems that ms actually decided to ignore those suggestions and implemented the easiest solution, ignoring the fact that it really doesn’t solve the problem…

gadi evron,
ge@beyondsecurity.com.

Share