Sunday, August 05, 2007

RE: Vista (Unsigned Driver Loading)

While I don't normally read much of anything coming out of Tech-mongering The Register, I had to drop in and read the following post: New tool enables loading of unsigned drivers in Vista.

Meet Atsiv

Seems Linchpin Labs developed a tool (Atsiv) that will allow a user to load an unsigned or legacy driver on Windows XP, 2003, or (drum-roll please) Vista.

That last one is important as Microsoft requires system drivers to be digitally signed before loading correctly in Vista.  If you just want to force the issue, you have to go into a limited functionality mode or just skip functions the driver would have provided.  It's a security thing...see. (Although the article points out there are some limitations.)

I've read mixed comments from some posters who say they already are able to load unsigned Vista drivers without any problems to those who see this as a vector for rootkit based malware.  Based on that light review, I am kinda feeling this is primarily a Vista x64 edition issue discussion.

Microsoft Stirs

Microsoft eventually waded into the issue with Microsoft Windows Security Architect Scott Field responding over on the Windows Vista Security Blog: x64 Driver Signing Update.

Scott described in detail Microsoft's response which is either a GoodThing™ or not, depending on your take.

1) It's not necessarily a security issue...as it requires Administrative privileges to install; so if you are mucking around with it, you already must be smart enough to know what you are doing and that you want to do it in the first place.

2) Kernel Mode Code Signing (KMCS) (which the Atsiv utility "bypasses") isn't a "security boundary" but serves to enforce digital signatures so the author of the  code can be identified and reported via Microsoft Online Crash Analysis.  This allows Microsoft to work with (work over?) the author to ensure the code is improved and doesn't harm the user or the Vista OS.

3) KMCS worked perfectly with the Atsiv utility.

  • It fingered the author of the Atsiv code,
  • It did check the Atsiv code before loading it,
  • It allowed Microsoft to release a Windows Defender update that detects, blocks, and removes the current Atsiv driver.
  • Since it fingered the offender, Microsoft managed to get VeriSign to revoke the digital certificate it uses thereby making the code-signing key the utility uses now invalid.
  • Microsoft may add the revoked key into the KMCS revocation list as "an additional defense in depth measure."

That ought to teach them upstarts and end-users who want to run drivers for hardware that doesn't have "signed drivers" for Vista which don't exist yet (and may never exist) not to try a flea-flicker play on Microsoft.  Don't like what someone is doing? Put the smack-down on them with a certificate revocation.

The Point Is....

Yes, yes.  I REALLY understand why Microsoft feels they have to do this...and it might indeed be a valid and good position to take on their part.  They do have a vested interest in making sure Vista is actually as secure a product as they are touting it to be.  These little leaky holes in the dike could grow worse, and malware writers no doubt would love to take advantage of them.

That said, pulling a means for users to potentially get some of their purchased hardware working and compatible with Vista when sufficiently certified drivers have yet to see the light of day seems a bit rough.

The comments under that post are pretty good reading and not the usual Microsoft hate-post material.

--Claus

No comments: