Debunking the "Blue Pill" Vulnerability Theory

• The presentation demonstrated how a user with administrative privileges over an x64-based machine could attempt to place unsigned (unverified) code directly into the Windows Vista kernel.
• The exploit functions by creating an undetectable virtual machine into which, theoretically, malware—most likely a rootkit—could be executed. In Rutkowska's example, this "malware" was unsigned code that eventually made it into the Vista kernel, without rebooting the machine.
• A crucial part of Rutkowska's demonstration was an alleged weakness in the AMD Pacifica SVM technology, which is a virtualization capability offered in 64-bit AMD processors. To quote Rutkowska on her blog, "I would like to make it clear, that the Blue Pill technology does not rely on any bug of the underlying operating system. I have implemented a working prototype for Vista x64, but I see no reasons why it should not be possible to port it to other operating systems, like Linux or BSD which can be run on x64 platform."
• There is discussion and debate about whether Intel's virtualization technology is vulnerable, and if so, to what degree as compared with AMD's technology.
• The exploit in the end requires administrative access to the machine, a privilege threshold that, when achieved, allows all sorts of activities, both legitimate and illegitimate, that could potentially weaken or destroy the integrity of a system.
• X64 versions of Windows Vista, by default, require drivers to be signed before installation. This purpose of this requirement is to thwart potential attacks as well as improve system reliability. After all, buggy drivers that are signed basically have a business card with the developers' information on it, making resolution much easier.
• Microsoft is investigating this exploit to determine whether modification to Vista's security mechanisms are necessary. In fact, Austin Wilson of Microsoft says, "we already have our teams combing through information to make Windows Vista even better because of [the Black Hat conference]."

The fact that this exploit even occurred is alarming. But exactly who should it alarm? Windows system administrators? Those thinking of running Windows Vista x64? Or all administrators? I believe it's something we all should be concerned with.

More on the Blue Pill attack Anatomy of the Blue Pill attack What a ruckus there was at the demonstration of the Blue Pill attack on Windows Vista at Black Hat this year. Find out how it works and whether you should care about it.

A fundamental tenet of computer security is that a user with administrative powers can do a lot to a machine -- including format an entire hard drive. This tenet is why privilege escalation attacks are so problematic. But in this particular "blue pill" exploit, there was no privilege exploit. And the chances of someone obtaining remote access to a machine, using administrative privileges, and being able to successfully pull off this exploit are very slim. In fact, no one has done so yet.

So has Windows Vista security been blown away? Has all the work the development team put into the product been for naught? Absolutely not. The response to Windows Vista's security at Black Hat was actually quite positive, which is saying something significant when you consider the typical makeup of the audience at the conference—they're hardly Microsoft apologists.

Good things are happening when it comes to security in Vista. Don't let this "blue pill" business make you think otherwise.

About the author: Jonathan Hassell is author of Hardening Windows (Apress LP) and is a SearchWindowsSecurity.com site expert. Hassell is a systems administrator and IT consultant residing in Raleigh, N.C., who has extensive experience in networking technologies and Internet connectivity. He runs his own Web-hosting business, Enable Hosting. His previous book, RADIUS (O'Reilly & Associates), is a guide to implementing the RADIUS authentication protocol and overall network security. Ask Hassell a hardening Windows question today.

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Microsoft Windows Vista Security Microsoft Windows Vista: Security feature reviews Windows Vista's little surprises Windows Vista tips and expert responses NTFS and the Registry in Vista packaged up BOOT.INI is gone, BCD is here Administering Windows Vista Security: The Big Surprises: Chapter 1 Administering Vista Security: The Little Surprises Remote Desktop gets a bit more secure Microsoft Windows Vista Security Center review Windows Live OneCare 1.5: How does it compare? Vista tested: Expert shares results Product Flaws and Vulnerabilities Exploit code targets unpatched PowerPoint flaw Anatomy of the Blue Pill attack New Microsoft Word zero-day exploit discovered MS06-040 review: 'Urgently critical' patch release An introduction to Google Hack Honeypots Blocking peer-to-peer applications Step 1: Blocking peer-to-peer applications Step 3: Application-level filters Step 2: Firewalls Step 4: Software restriction with Group Policy Microsoft Windows flaws and vulnerabilities Microsoft patch plugs weakness in Windows URI handling October patches fix four threats Revised hotfix for 'animated-cursor exploit' released What is malware? Fighting through troublesome malware Microsoft probes alleged Internet Explorer flaw Botnets spike in wake of Windows flaw Malware removal: Four simple steps Windows threats are evolving Zero-day flaws target 'safe' programs

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary