Micosoft tries to harden Vista against kernel rootkits

General Topics
1

Hi forum folks,

Rootkits are a problem, but Microsoft tries to make it more difficult
to get them into Vista through special cerification by Verisign.
Read here:
http://www.eweek.com/article2/0,1895,1914971,00.asp

Do you think this means the end for this type of malware or do they need more dratic means (Fritz chip)?

polonus

2

Sounds like a good idea to me but I guess we will have to wait and see how it goes. :stuck_out_tongue:

3

I guess we will have to wait and see, but for sure almost anything is better than the current situation.

As they close holes others will be looking for other means of circumventing them, so there will probably be a short honeymoon period until another hole/means of entry is found.

4

This is definitely the way to go (we were suggesting this to MS engineers years ago), but unfortunately, in the initial release of Vista, this will only be enforced on 64-bit versions of the OS…

5

I hope it won’t be as stupid designed as DEP and AsPack ::slight_smile:

6

What do you mean? :slight_smile:

7

I guess the automatic DEP disabling for ASPack-packed executables :wink:

8

I wouldn’t worry about any exceptions in this case.

The feature can be disabled only in Debug builds of Vista (via Vista’s variant of BOOT.INI) but that’s on your own risk, i.e. if you feel you want to do it (e.g. you’re a device driver developer and don’t want to sign your driver every time you compile it) and 99.99% of users aren’t running the debug build anyway.

There’s no way to disable it in regular (release) build.

9

Like patching the kernel code responsible for the checking…?

10

Good to hear it will be more “resistant” to exclusions.

11

RE Patching the code: you mean in memory or on disk?

In memory → impossible, can only be done by kernel-mode code, of course (i.e. it’s a trust thing)

On disk → probably possible, but still not easy to do (I’m sure the kernel itself is also signed and will try to detect any respective changes - although in theory, it is certainly possible).

12

Is this so processor intesive that the 32bit system can’t handle it?
Don’t they realize that most computers in use are still and will be for some time to come 32 bit ???

13

It’s definitely not CPU intensive. It was a business decision.

They consider x64 a NEW system, and as such, people are tolerant to the fact that drivers for some (most) devices still don’t exist. That is, it is easier to enforce the new signing policy.

On the other hand, people would be very unsatisfied if existing unsigned XP drivers wouldn’t work on Vista. I’d say that more than 80% of today’s hardware device drivers are not signed.

Cheers
Vlk