Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

VBootkit Bypasses Vista's Code Signing

kdawson posted more than 7 years ago | from the breaking-into-your-own-hardware dept.

Security 210

An anonymous reader writes "At the Black Hat Conference in Amsterdam, security experts from India demonstrated a special boot loader that gets around Vista's code-signing mechanisms. Indian security experts Nitin and Vipin Kumar of NV labs have developed a program called the VBootkit that launches from a CD and boots Vista, making on-the-fly changes in memory and in files being read. In a demonstration, the 'boot kit' managed to run with kernel privileges and issue system rights to a CMD shell when running on Vista, even without a Microsoft signature. The demo was run on Vista RC2. The researchers say the only reason they didn't do it on Vista final was cost. Schneier blogged the exploit."

Sorry! There are no comments related to the filter you selected.

Is it just me that thought (5, Funny)

zappepcs (820751) | more than 7 years ago | (#18599225)

isn't it ironic that even hackers don't like the high cost of MS software?

FTFA: "The researchers say the only reason they didn't do it on Vista final was cost."

Re:Is it just me that thought (1)

robgig1088 (1043362) | more than 7 years ago | (#18599245)

Not really ironic, just funny as hell XD

Re:Is it just me that thought (1)

HolyCrapSCOsux (700114) | more than 7 years ago | (#18599289)

You would think they could have just installed a *cough* Hacked copy of Vista

Re:Is it just me that thought (5, Insightful)

Sancho (17056) | more than 7 years ago | (#18599453)

They probably did--that's probably why they are confident that it would work on there. They just don't want to actually claim success since it was done illegally.

Re:Is it just me that thought (3, Informative)

tftp (111690) | more than 7 years ago | (#18599625)

As far as I know, one can legally install an evaluation copy of Vista, with a blank CD key, and evaluate it for some number of days. Then it expires.

Re:Is it just me that thought (0, Flamebait)

Ash Vince (602485) | more than 7 years ago | (#18600189)

I have a feeling these people know a little more than you. :)

Doesn't work on RTM (0)

Anonymous Coward | more than 7 years ago | (#18600487)

Yes, "cost" is a totally bogus claim to make. You install it, and you have by default a month to try it. Then you can use the "rearm trick" to reset that 30 day counter for up to 3 times IIRC -- 120 days per install. And spending 10 minutes reinstalling every 4 months for a test box is not such a big issue IMO. Besides, Vista basic (it doesn't need to be the ultimate version to try this) isn't that expensive (around 100$ IIRC), and already comes bundled with a lot of new (and inexpensive-ish) computers nowadays...

I'm surprised they couldn't find a better excuse instead of saying "it only works on RC2/doesn't work on RTM"... Bollocks I say!

Re:Is it just me that thought (2, Insightful)

EvanED (569694) | more than 7 years ago | (#18599807)

There's a validity result there though, in addition to what the other two responses said. If it's a hacked copy of Vista, then there's already something to make it do things that it's not supposed to do. I would be more skeptical of this result if it came from a hacked final copy than from RC2.

Re:Is it just me that thought (0)

Anonymous Coward | more than 7 years ago | (#18599377)

How is this ironic? Because hackers are the ones setting the price for MS software? Are hackers supposed to be really rich and so that when *even* they find it too much its "ironic"?

I really don't follow. Its like saying, "Isn't it ironic that carpet cleaners find MS software too expensive"

Fuck Alanis Morissette (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#18599495)

Her song "Ironic" has ruined the word. Here is the definition:

ironic

adj 1: humorously sarcastic or mocking; "dry humor"; "an ironic remark often conveys an intended meaning obliquely"; "an ironic novel"; "an ironical smile"; "with a wry Scottish wit" [syn: dry, ironical, wry]

2: characterized by often poignant difference or incongruity between what is expected and what actually is; "madness, an ironic fate for such a clear thinker"; "it was ironical that the well-planned scheme failed so completely" [syn: ironical]

Oh, and by the way, I would like to fuck Alanis Morissette.

Re:Fuck Alanis Morissette (1)

zappepcs (820751) | more than 7 years ago | (#18599549)

by your definition #2, a hacker that is concerned about cost of the software qualifies... at least I think so

Re:Fuck Alanis Morissette (4, Funny)

holloway (46404) | more than 7 years ago | (#18600313)

Interpretations of Alanis's Song "Ironic", 1) She didn't know the meaning of the word and the song's examples prove it. 2) She did know the meaning of the word and she consistently came up with examples that weren't ironic. Naming the song ironic would then be quite ironic. There's no real evidence either way. She said in an interview that it's (2) so I guess it's all to do with whether you believe her.

WOW! (0, Troll)

tnhtnh (870708) | more than 7 years ago | (#18600655)

Wow, so some security experts from India demonstrated that they could own a *RC* version of Vista...

channel9 (3, Interesting)

Anonymous Coward | more than 7 years ago | (#18599233)

And here's a video interview [msdn.com] of the guys who admit to be responsible.

Boot Sector Virus (5, Insightful)

w128jad (643759) | more than 7 years ago | (#18599237)

Are we about to see the dawn of a new day for the Boot Sector Virus?

New branding names (4, Funny)

EmbeddedJanitor (597831) | more than 7 years ago | (#18599265)

Windows Genuine Rootkit Advantage
Roots for Sure
Clippy Boot: "You seem to be wanting to run as Admin, can I help?"
C'mon folks help me out!

Re:New branding names (1, Funny)

Anonymous Coward | more than 7 years ago | (#18599621)

You seem to be making a joke, cancel or allow?

Re:New branding names (0)

Anonymous Coward | more than 7 years ago | (#18599869)

Vista - deep view
+
Zune - brown
=
prior art problem - colonoscopy

Re:New branding names (2, Interesting)

tinkertim (918832) | more than 7 years ago | (#18600621)

Windows Genuine Rootkit Advantage
Roots for Sure
Clippy Boot: "You seem to be wanting to run as Admin, can I help?"
C'mon folks help me out!


I think Vista could come out with "That's not a bug, its a feature .. so that fully virtualized instances of Vista can be modified by third party boot loaders for dynamic reprovisioning".

Actually, since local access to fully virtualized instances is a moot point, it would be (arguably) a feature in that respect.

disk = [ 'phy:/hasta/la/vista/baby,ioemu:hda,w' ]

I'm just wondering now at what point they'll open source the whole damn mess hoping a community forms around it to fix it. Seems like that's already happening to a degree.

Vista : From the people who brought you edlin.

Looks like it (5, Funny)

Sancho (17056) | more than 7 years ago | (#18599269)

Of course, it will be one of those that relies on a code of honor:

"This is the Windows Vista Boot Sector Virus kit. Please burn this ISO to a CD and boot your computer with it."

Re:Looks like it (1)

daniel_newton (817437) | more than 7 years ago | (#18599299)

I think the grandparent was referring to the boot sector of a hard drive. Which, if I am not sadly mistaken is another method of achieving the same thing.

Re:Looks like it (5, Interesting)

Sancho (17056) | more than 7 years ago | (#18599429)

True, but it's a more complex situation than that.

In order for the boot sector to be compromised [in x64 Vista], there must already have been a kernel-level compromise. Unsigned kernel-level code must have already run. Further compromising the boot sector would certainly be a way of maintaining control over the system, but that's not the hard part in a scenario like this.

My guess is that compromising this particular security mechanism will be hard. Vista engineers worked pretty hard on the signed code requirement and on hardening kernel-level services to prevent the likelihood of attack. Getting unsigned code to run is going to require a hole in the kernel or a kernel driver (not user-mode drivers, as most Vista drivers must be). Is it possible? Sure, and it's been demonstrated in RC1 (or was it RC2 that the Bluepill malware exploited?). But it is damned hard, and between that and automatic updates available and on by default, I think we're unlikely to see any of the absurd worms of a few years past.

Re:Looks like it (2, Informative)

PDXNerd (654900) | more than 7 years ago | (#18599691)

My guess is that compromising this particular security mechanism will be hard. Vista engineers worked pretty hard on the signed code requirement and on hardening kernel-level services to prevent the likelihood of attack. Getting unsigned code to run is going to require a hole in the kernel or a kernel driver (not user-mode drivers, as most Vista drivers must be). Is it possible? Sure, and it's been demonstrated in RC1 (or was it RC2 that the Bluepill malware exploited?). But it is damned hard, and between that and automatic updates available and on by default, I think we're unlikely to see any of the absurd worms of a few years past.


Sooooooo..... What you're saying are that wide-spread exploitations [pcmag.com] of an animated cursor library flaw [slashdot.org] are things of the past? Thank science my Windows PC is safe from administrative privilege granting exploits, because the administrator can't disable things like automatic updates and code signing and junk! Sweet!!

Re:Looks like it (3, Informative)

Sancho (17056) | more than 7 years ago | (#18599721)

Apparently, administrator cannot disable the code-signing requirement (at least, not on X64, which is what this article talks about). Although there has been talk of this as a possibility, the more I look, the more it appears that this was a pre-RTM setting which is now ignored.

Yeah, we'll see some worms, but like I said, I doubt they'll be of the magnitude of some of the ones in recent memory.

Re:Looks like it (1)

sumdumass (711423) | more than 7 years ago | (#18599861)

I wonder if something could be done to look for a USB memory stick and install this boot code there so it effect the hard drive on the next restart?

Most newer computer can boot to USB and if they use the USB memory swap thing, it is likely one will be around. The exploit might not be as hard as though. Especialy if a zip file could check for a USB memory device and then extract portions of code there as well as in the regular place. Then the traditional email saying don't look at this might work.

Re:Looks like it (1)

Tom (822) | more than 7 years ago | (#18601363)

You assume that these protections stay. They won't. Like all other protections before, they'll be broken, they just aren't at this time.

Once you have one hole into the kernel that allows you to run arbitrary code on the kernel level, it's game over. Not only in Vista, same is true for Linux, OSX, heck even Linux with SELinux enabled.

Given Vista's complexity, and MS track record, I wouldn't bet a dime on the kernel staying unbreached for very long.

Re:Looks like it (1)

toadlife (301863) | more than 7 years ago | (#18599821)

What the hell does the ANI flaw have to do with hacking Vista's kernel and running unsigned code?

Re:Looks like it (0)

Anonymous Coward | more than 7 years ago | (#18600791)

Absolutely nothing at all. What PDXNerd is doing is talking out of his arse, knowing that 90% of Slashdot readers will think to themselves "hmmm...that doesn't make any sense, I don't think thats right...oh! it bashes Windows, I'll mod it up anyway".

Re:Looks like it (1)

whyloginwhysubscribe (993688) | more than 7 years ago | (#18601519)

I think that you can make the connection that there are other ways of compromising a system without getting around the added security in Windows Vista. For example, buffer overflow errors...

Re:Looks like it (2, Interesting)

brogdon (65526) | more than 7 years ago | (#18599827)

"In order for the boot sector to be compromised [in x64 Vista], there must already have been a kernel-level compromise. Unsigned kernel-level code must have already run. Further compromising the boot sector would certainly be a way of maintaining control over the system, but that's not the hard part in a scenario like this."

That's mainly true if you're running Vista 100% of the time, right? In theory, if a hacker was trying to alter his own copy of Vista rather than create a virus (perhaps to foil DRM), could he not create some Linux LiveCD-based tool to do the job? Basically boot to the CD, have it load an OS, run the tool to alter the Boot Sector of the desired HDD, install the code in question and reboot into the newly-neutered Vista?

Or is there some kind of boot sector wizardry performed by Vista that I'm not aware of?

Re:Looks like it (1)

smash (1351) | more than 7 years ago | (#18599457)

Which the virus is probably going to be unable to write to, unless it exploits the o/s to gain such access. This exploit does not provide such access, it requires booting the os from a special boot loader.

Well, no shit. If you boost from a custom boot sector before the o/s is even resident in memory, of course it can do anything...

Re:Looks like it (1)

w128jad (643759) | more than 7 years ago | (#18599541)

The most positive thing to prevent this from actually happening is the decline of the floppy disk. However, many modern BIOS can and do boot from USB thumb drives. Is it possible to write the boot sector on a USB drive in Vista? Is it that unlikely that a kernel-driver could be exploited? Worm + kernel-driver exploit could mean boot sector access. Or hey, download this CD of cute screen-savers... Only need to reboot one time to finish the installation... I don't know, I'm just thinking out of the "box".

Re:Looks like it (1)

tftp (111690) | more than 7 years ago | (#18599649)

It does not matter if Vista allows you to create a USB bootable flash disk [aaltonen.us] - other OSes will do that. If your computer is not physically secure then it is not secure at all. Even today you can come with your own USB flash disk, boot someone's computer from it (barring the BIOS password) and have access to anything that is on the HDD.

Re:Looks like it (1)

Sancho (17056) | more than 7 years ago | (#18599713)

The issue is whether or not malware can create (and/or modify) the boot sector on a USB drive that is left in the computer through successive reboots. A user-mode virus could infect the USB drive, then the next time the computer is booted, it would boot the USB drive (modifying memory much the same way that this exploit does) before passing control to the hard drive and Vista. Of course, this requires that USB booting is enabled in the BIOS.

That's how a lot of boot-sector viruses spread in the old days. The virus would infect every floppy that was inserted into the computer, and eventually, one of them was pretty likely to be left in the drive during a reboot. At that point, even if the disk wasn't "bootable", the damage was done. The user would see that the computer wasn't booting, eject the disk, and boot into the now compromised OS.

Re:Looks like it (1)

smash (1351) | more than 7 years ago | (#18599801)

Before it can modify the boot sector, it has to run.

This exploit doesn't run unless you manually boot from it first.

As another poster said, the significance of this is not so much about virus propogation, but more about enabling the user to manually intervene and circumvent the requirement for code signing (and thereby, in turn perhaps circumvent the DRM security in vista).

Re:Looks like it (1)

pipatron (966506) | more than 7 years ago | (#18601053)

Unless the content on the HD is encrypted.

Re:Looks like it (1)

Opportunist (166417) | more than 7 years ago | (#18600115)

Considering just how dumb some people are when it comes to infecting their machines, I wouldn't call that an impossible attack vector...

Re:Boot Sector Virus (mod parent up) (1)

ookabooka (731013) | more than 7 years ago | (#18599309)

Are we about to see the dawn of a new day for the Boot Sector Virus?
 
This is a very interesting point. The difficulty ofcourse still remains with getting the virus into the boot sector, but once there it would be no different than your run-of-the-mill xp virus with administrator priveledges. Fortunately I'm sure Vista (and hell, even the BIOS) guard the boot sector like it's fort knox.

Re:Boot Sector Virus (mod parent up) (5, Funny)

Volante3192 (953645) | more than 7 years ago | (#18599349)

Fortunately I'm sure Vista (and hell, even the BIOS) guard the boot sector like it's fort knox.

No problem. We just send a flying circus over the BIOS, dump some VX gas on it, then march in with the industrial laser. Then we cut a hole, drop the virus in and, BOOM! Instant instability.

This is assuming, of course, Vista hasn't seduced the leader of the flying circus by this point, at which case the whole plan's shot to hell.

Re:Boot Sector Virus (mod parent up) (1)

harry666t (1062422) | more than 7 years ago | (#18600891)

> I'm sure Vista (and hell, even
> the BIOS) guard the boot sector
> like it's fort knox.

LinuxBIOS ahead.

Re:Boot Sector Virus (mod parent up) (2, Interesting)

TheRaven64 (641858) | more than 7 years ago | (#18601549)

Fortunately I'm sure Vista (and hell, even the BIOS) guard the boot sector like it's fort knox.
Does it guard all disks, or just the boot disk? If it guards all disks, then this could make it difficult to create bootable disks in Vista. If it only guards the boot disk, it means the virus could easily write to the boot sector of a flash drive. Anyone who booted a USB-bootable PC with the USB drive attached would not notice anything amiss, but would have the virus running with SYSTEM privileges (and even Administrator can't kill SYSYEM's processes). This computer could then install the boot sector virus on every single disk it came into contact with.

This is how a lot of viruses used to spread. It needs someone to forget to unplug their USB key before booting, but the old ones required you to forget to eject a floppy disk before booting, and still managed to spread a long way.

Cost? (5, Interesting)

biocute (936687) | more than 7 years ago | (#18599271)

Cost as in the money one has to pay to acquire a copy of Vista, or the cost of developing a Vista-Final-compatible VBootkit?

I find it hard to believe they cannot find a sponsor (maybe even a computer shop) to give them a copy to play with.

Re:Cost? (2, Insightful)

Rosco P. Coltrane (209368) | more than 7 years ago | (#18599419)

I find it hard to believe they cannot find a sponsor (maybe even a computer shop) to give them a copy to play with.

Perhaps because Microsoft will patch this and render the boot kit useless in less time that it takes to say "oh my god, my unsigned drivers don't work anymore"?

Re:Cost? (1)

BlueTrin (683373) | more than 7 years ago | (#18600795)

Perhaps because Microsoft will patch this and render the boot kit useless in less time that it takes to say "oh my god, my unsigned drivers don't work anymore"?


KB45641348 - Fix for boot kit (Vista)
This fix patches a problem for the boot kit for Vista, after installation, Clippy will appear at boot time and ask you if you want to really boot the infected CD.
[Allow/Cancel]

Small problem (1, Interesting)

Anonymous Coward | more than 7 years ago | (#18599439)

A small problem is that the cost of Vista RC2 (was free) but not the development time for the VBootkit. The developers had to start the process somewhere from the initial release to RC2 status. That is a chunk of development work by 2 programmers. Once they have a working copy on RC2; they stopped. To continue; would cost more money to extend their research into the production version of Vista.

I am sure they could get some funding from various organized syndicates to further their development.

Re:Cost? (1)

Jah-Wren Ryel (80510) | more than 7 years ago | (#18599497)

I find it hard to believe they cannot find a sponsor (maybe even a computer shop) to give them a copy to play with.
These guys are in India where CS salaries are about one tenth of what they are in the USA, but Vista costs just about the same there as it does in the USA. So, consider how likely it would be for someone to toss $2000-$3000 to an unknown company in the USA with zero chance of getting a return on the money?

Re:Cost? (2, Funny)

Anonymous Coward | more than 7 years ago | (#18599749)

When I first read your remark, I thought you said it cost too much memory to run Vista. That seems to make a lot of sense.

Cost of OS - $120
Price of extra gig of memory - $80
Look on Ballmer's face when Windows gets rooted - priceless!

Re:Cost? (1)

jkrise (535370) | more than 7 years ago | (#18599969)

I find it hard to believe they cannot find a sponsor (maybe even a computer shop) to give them a copy to play with.

I think although they mentioned cost as the excuse, they might've been scared about something in the EULA of the final version which could possibly make their experiment or publishing it's results a criminal offence.

Incidentally, I'd like Mark Russinovich's detailed response to this, but now he's a full-time MS employee it would probably be useless.

and in a related story... (3, Insightful)

Ferzerp (83619) | more than 7 years ago | (#18599275)

"hacker" uses a boot disk in linux and wipes the root password!!!

Why is this a story? Physical access (needed to boot from an alternate source) has always been root access.

Re:and in a related story... (5, Informative)

Sancho (17056) | more than 7 years ago | (#18599327)

It's a story because of Vista's signing requirement for kernel drivers in x64. A boot disk like this wouldn't be useful for compromising a system in the traditional, and it isn't intended as such. It is intended to give control back to the owner of the computer, and as such, physical access is neither an unreasonable requirement, nor an unreasonable expectation.

Re:and in a related story... (1, Insightful)

Anonymous Coward | more than 7 years ago | (#18599445)

If someone's piece of Malware gets to load itself onto a machine first, there isn't an OS on the planet you can't hack... I agree with the poster above, why is this a story??

-AC

Re:and in a related story... (5, Informative)

Ferzerp (83619) | more than 7 years ago | (#18599467)

Is there not an F8 boot option to load unsigned drivers?

a quick search says yes, and the flag can be set as the default behavior as well.

http://www.unofficialvista.com/article/204/install ing-unsigned-drivers-in-64-bit [unofficialvista.com]

Re:and in a related story... (1)

Sancho (17056) | more than 7 years ago | (#18599499)

Ooh, nice. I was aware of the F8 'trick', but I was under the impression that there was no way to permanently disable the checks. Thanks for the tip!

Re:and in a related story... (4, Informative)

PhrostyMcByte (589271) | more than 7 years ago | (#18599533)

The flag to set default behavior was disabled in RTM and iirc RC2. You can set it, but it has no effect.

Re:and in a related story... (3, Informative)

J Isaksson (721660) | more than 7 years ago | (#18600135)

This is untested by me since I don't run x64, but here is supposedly the Vista x64 RTM method for permanently disabling the driver signing requirement:

Start/Programs/Accessories
Right-click "command prompt" and select "run as administrator"
At the command prompt, type bcdedit /set loadoptions DDISABLE_INTEGRITY_CHECKS
Reboot!

In case you want to enable the driver signing requirement again:
bcdedit -deletevalue loadoptions

(Blatantly borrowed from http://www.teamxlink.co.uk/forum/viewtopic.php?t=2 0068&start=20 [teamxlink.co.uk] )

Re:and in a related story... (1)

davester666 (731373) | more than 7 years ago | (#18599731)

It's a story because of Vista's signing requirement for kernel drivers in x64. A boot disk like this wouldn't be useful for compromising a system in the traditional, and it isn't intended as such. It is intended to give control back to the owner of the computer, and as such, physical access is neither an unreasonable requirement, nor an unreasonable expectation.
Could this be used to make the kernet 'think' it's running all signed drivers, while actually having loaded unsigned drivers then?

Re:and in a related story... (3, Interesting)

elronxenu (117773) | more than 7 years ago | (#18600303)

Well, if you want to get back control of your computer, you could uninstall Vista and install Linux.

Sure, this technique could be used to let you modify Vista and patch device drivers and so on, but you'd still be fighting Microsoft and their whole "we'll tell you where to go today" attitude toward operating systems.

On the other hand you could install Linux and maybe experience some temporary discomfort as you get used to the user interface or different applications (openoffice or abiword or scribus instead of MS Word, etc). Maybe you have to give up some games if they won't run emulated. Whatever it costs you in conversion, consider that you've bought your freedom from the domination of Microsoft. You now have a stable, reliable system developed by people whose interests are aligned with your interests, rather than those of the most hated organisations in America.

Linux ... There are no backdoors, no spyware; it's pretty much immune to viruses. It won't "phone home" and accuse you of piracy, it won't disable itself about licensing issues, or degrade the picture quality. You can run it on multiple computers if you want. You can share it with a friend if you want. You can update it from the net, forever. There will always be new free applications for you to use.

Microsoft Vista ... it's an operating system designed to meet the needs of major corporations: Microsoft, the RIAA, MPAA. Managing system resources and running applications is a secondary function; the primary function is to lock you into Microsoft software and extract the maximum possible amount of money from your wallet. What's good for Microsoft is not necessarily good for the user; Microsoft's interests do not align with your interests.

There's a Cave Troll chained to a rock in the middle of an Arena. The Cave Troll is hungry and roars continuously. You throw people to the Troll as sacrifices. But the Troll continues to roar; it will never be satisfied. It grows bigger - someday soon it may break its chains and eat us all. Microsoft is the Cave Troll. Are you going to continue to sacrifice people to it? Or are you going to say "enough is enough" and take back your control - take back your dignity?

Re:and in a related story... (1)

Anpheus (908711) | more than 7 years ago | (#18600661)

Cave troll indeed!

I propose a new Internet Law: "Godwin's Law, The Second."

It goes like this, "As a discussion increases in volume, the probability of someone creating an analogy between the subject and RIAA or MPAA increases to 1." And using them as part of your argument should immediately discredit it.

Re:and in a related story... (1)

Marbleless (640965) | more than 7 years ago | (#18599603)

Why is this a story?
It's anti-MS ..... you must be new here ;)

Not always. (0)

Anonymous Coward | more than 7 years ago | (#18599859)

Memory altering like this hard to stop.

Most linux boot disk attacks are stuffed against a fully encrypted linux requiring a password to startup. Ie No password not even the linux can boot.

This attack on vista most likely also work even if bit locker was in effect.

Hmmmm... (1)

TheSHAD0W (258774) | more than 7 years ago | (#18599345)

I wonder how this will affect Microsoft's DRM?

Re:Hmmmm... (3, Insightful)

Opportunist (166417) | more than 7 years ago | (#18600141)

Umm... blow it to pieces?

I forsee that this exploit will be less used for traditional attack rootkits, it seems more like a very convenient way to get rid of all the unwanted 'security features' (read: the ones that protect the makers of your content instead of you) of Vista.

But... (1)

Steve--Balllmer (1070854) | more than 7 years ago | (#18599407)

Symantec says Windows is the most secure OS...

Cost? How much? (0)

Anonymous Coward | more than 7 years ago | (#18599481)

The demo was run on Vista RC2. The researchers say the only reason they didn't do it on Vista final was cost.

COST???? How much are you talking about?

The cost of toiling over GPL -- lack of money (0)

Anonymous Coward | more than 7 years ago | (#18601287)



The cost of toiling over GPL -- lack of money. Somebody, quick, hand them a fiver! Hate to see people beg.

Re:Cost? How much? (1)

Taco'd (1082907) | more than 7 years ago | (#18601317)

500 bucks for Vista Ultimate.

Not a good week and it's only 1/2 over (5, Funny)

djupedal (584558) | more than 7 years ago | (#18599483)

Let's see:
  • VBootKit bitch slaps VISTA
  • Animated cursor panic/fix
  • EMI/Apple DRM shun ropa-dopes WMA
  • XBox Elite HD-DVD chokes on popular title
  • XBox Elite HDMI only v1.2
  • Class action suit for bait/switch 'VISTA Ready' claims
Can't wait to see how the rest of the week plays out....heheheheh

Re:Not a good week and it's only 1/2 over (0, Flamebait)

Anonymous Coward | more than 7 years ago | (#18599617)

Let's see...
  • VBootKit "bitch slaps Vista" -- you're obviously a fuckin genious... here's a clue: ANY malware that loads onto the computer first can (to use your vernacular) "bitchslap" any software that loads after it. This is a non-story. Even the guys who wrote this thing said (paraphrasing) "it just goes to show that if you have physical access to hardware, you can do whatever you want"... which is like, NetEngineer training day 1, hour 1 stuff (right after the "Hi my name is..." part of the course).
  • Anyone who actually lets a website install (a) Smilies or (b) Animated Cursors on their computer, pretty much deserves whatever happens to them.
  • Other Apple headline of the week: "Apple gets investigated by EU for iTunes Monopolistic Practices"
  • One popular HD-DVD Title doesn't work, sounds to me more like something anomolous done by the producer of that particular title.
  • Yet another B/S lawsuit brought by an American looking for a cash payout from a rich corporation. That whole thing is such complete crap it makes the McD's hot coffee suit look like serious legerdomain. First off, the stickers are accurate. Second, if the OEM's portray the computer's that THEY'RE selling in a misleading way, then it's THEIR fault the customer was mislead, not MS's. Third, most "consumer rights" in most of the US are based on the precept of "Buyer Beware". If you're a non-technical person and you're buying a PC, and you F-it-up b/c you couldn't bother doing a little research, well TFB, it's you're own damn fault. This suit is so frivolous, that, if the justice system had any degree of rationality in it, I'd be surprised if it went anywhere. Being as it's an American tort court, logic and rationality have very little meaning though so she'll prolly get a payday out of it anyway...

    -AC

Re:Not a good week and it's only 1/2 over (1, Troll)

7of7 (956694) | more than 7 years ago | (#18599631)

If all you read is Slashdot you'd think Windows would've been gone long ago and Linux would reign supreme. Fortunately in the real world that's not how things work. You're just the equivalent of a Neo-Con who gets all his news from the Free Republic.

Re:Not a good week and it's only 1/2 over (-1, Offtopic)

djupedal (584558) | more than 7 years ago | (#18599849)

7of7! How y'al doing, gal? How's things in the club?

I heard some downright terrible things about you, just last Monday, but I told them NO way - she can give as good as she can take ;) & MS hired her for a reason, so they must have heard wrong over all those hair-dryers and other low-heeled yammerers, you know :)

In any case, if it turns out to be true, your secret is safe w/me, so don't worry your pretty little head...

Off topic...hehehe (0, Offtopic)

djupedal (584558) | more than 7 years ago | (#18600205)

I'm off topic and Stephanie wasn't....is that the best you can do? C'mon...I can take it :)

VM? (4, Interesting)

mr100percent (57156) | more than 7 years ago | (#18599519)

So, it's being hacked because Vista is booted from within some sort of VM? That doesn't sound like too much of a threat to machines. A threat to DRM, maybe.

Re:VM? (1)

Yetihehe (971185) | more than 7 years ago | (#18600273)

So, it's first root/bootkit that actually adds value to windows :/

if you have physical access to the system... (4, Insightful)

dioscaido (541037) | more than 7 years ago | (#18599571)

...enough to do things like boot up the machine using alternate media, then the battle is essentially lost, no?

Re:if you have physical access to the system... (1)

Sancho (17056) | more than 7 years ago | (#18599591)

Yes, but that's the point :)

This specific exploit is good only for regaining control over your system (a system which does not let you load unsigned kernel modules).

Abstracted out, it allows any kernel exploit to maintain control of the system by modifying the boot sector of the hard drive. But you still need that initial exploit first.

Dear Mr. Gates: (5, Interesting)

Kadin2048 (468275) | more than 7 years ago | (#18599701)

...enough to do things like boot up the machine using alternate media, then the battle is essentially lost, no?

Yep. Now, who wants to type up the memo to Microsoft? Because, see, they keep trying to control your computer from Redmond, even though you're sitting at the console.

Rootkits aren't just for botnet operators anymore. Root/boot kits are the way people are going to take back their computers from Microsoft, so that they can, you know, do stuff with them.

(Although, more seriously, it's only a few people that need to have rooted machines, so that they can rip copy-protected content using kernel-level exploits to bypass the DRM enforcement. Then they can just dump the content onto Bittorrent or some other P2P protocol, which is how the unwashed masses will get it.)

Hi, I'm a Mac (3, Funny)

Anonymous Coward | more than 7 years ago | (#18599579)

Hi, I'm a Mac...

...and I'm whatever the Russian mob wants me to be.

Grub? LILO? They've been... (1)

halfloaded (932071) | more than 7 years ago | (#18599605)

getting around Windows 'mechanisms' and straight to Linux for years...

easy to miss the point here (5, Insightful)

eerok (1033124) | more than 7 years ago | (#18599645)

Many are seeing this as a security exploit, but it seems to be a workaround to gain usability.

Interesting reversal here, but one can argue that, with Vista, the user is the virus. No surprise that people are fighting back to regain control over their machines.

Bah! (1)

GFree (853379) | more than 7 years ago | (#18599805)

That's nice and all, but couldn't they have done something more fun? Heck, they should have hacked the Vista bootscreen at least. It's so damn boring, it doesn't even have the Vista logo.

I'd have been much more impressed if they replaced it with a picture of Gerard Butler, screaming

THIS... IS... VISTAAAA!!

Now THAT's a boot screen! Bonus points for having a bunch of Hoplites dressed in red, green, blue and yellow armor.

VBootkit? or.. (1)

heretic108 (454817) | more than 7 years ago | (#18599823)

When I first saw 'VBootkit', I first read it as 'VB Rootkit'. Wonder why?

tatcVo (-1, Redundant)

Anonymous Coward | more than 7 years ago | (#18599951)

are just way ove8 shower Don't just Reaper Nor do the Been the best, to yet another vitality. Its Problem; a few more gay than they to keep up as clear she couldn't

"Mitigating factors" in Vista (1)

jkrise (535370) | more than 7 years ago | (#18600025)

1. Only 14 people are running Vista as on date, the rest have upgraded to the old, familiar XP and never looked back.
2. Of these, 10 machines are in Microsoft, without any CD/DVD drives or USB ports - so no external booting is possible.
3. 3 of the 4 remaining machines are with journalists and 'independent' analysts - so they can be 'trusted' to keep shut.
4. Now, HOW are YOU going to protect your Vista against this Bootkit? Yes, YOU! You'll just upgrade to XP as well? That's fine then. Problem solved.

this is an achievement? (2, Insightful)

poindoink (1083931) | more than 7 years ago | (#18600125)

Like Linux has never been hit with a bootkit? If the only way to bust Vista's code-signing is through a bootkit, then Microsoft did something right.

Holy moron, batman. (1, Insightful)

Anonymous Coward | more than 7 years ago | (#18600665)

The reason Linux has 'never been hit by a bootkit' is because it's never been nessicary for people to do that in order to work around DRM-related restrictions.

Yes, I know, that having signed drivers is suppose to be a (very) limited improvement in security over XP, but they are lying to you if they tell you that is the real reason that Microsoft is doing it.

This is just another way to crack Microsoft's DRM.
First they were able crack the DRM for individual HD-DVD disks, then Blueray.
Next they have cracked the DRM on _ALL_ HD-DVD and Blueray disks manufactured to date.
Now they cracked the signed drivers sceme for Vista so now you can lie to applications and hardware about having 'protected media path'. You can do things like setup fake drivers and capture audio and video output to a file and rip movies that way. Perfect digital copy.

All sorts of crap like that.

All the 'digital right protections' that Microsoft has spent millions of dollars and 5 years to build into Vista have all been ripped to shreds in only a few months after it's release. Now take that bit of knowledge and then read "A Cost Analysis of Windows Vista Content Protection".
http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_c ost.html [auckland.ac.nz]

I hope that now people understand what I've and many other people have been saying for years, that enforced DRM is a fucking retarded idea. And it's not bad because I 'beleive that artists shouldn't get paid' or because I am a communist/socialist (I am not) or anything like that.

It's a fucking stupid idea because it's just a realy bad idea.

To date that hasn't been nessicary to do for Linux unless you own a Tivo and they are working on the GPLv3 to 'crack' that.

Schneier blogged the exploit... (1)

MavEtJu (241979) | more than 7 years ago | (#18600235)

Nothing against Schneier (I love his cryptogram newsletter), but adding 13 words to a 65 word paragraph without giving any real information or further thoughts isn't really what I consider worth mentioning.

But what ... is it good for? (5, Insightful)

Opportunist (166417) | more than 7 years ago | (#18600241)

Many have pointed out that an attack vector that requires the attacked user to jump through a few hoops is none. This is not entirely true, but I'll cover that later.

What this is, though, is a way to gain more control over your machine. This matter has been discussed as an attack vector of some intruder trying to take over your machine. As this, it is probably not the most successful way of invading Vista (let's face it, folks, there are far easier ways). I'd like to shine some light on the opportunity of invading your own machine.

Vista has some "features" that most people would just love to get rid of. And this seems to be the key to this goal. So I'd say this is less a way for someone to take control of your machine, more likely it's a way for you to take control of it.

Of course, and here's your attack vector, the vast majority of people don't know what's ticking inside their box. They just wanna play their cracked games and view their ripped movies. And (bless the internet), they will learn about this hack and that it can be used to do just that. Being unable to rewrite the bits themselves, they will have to use tools provided by others. And they will very willingly jump through any hoops you present them, for the promise to get control over their machine, they'll give you admin access and reboot for you, they install whatever you want them to install.

That's how this can be used to invade a machine. Sure, it takes a lot of help from the user, but the user will help you very willingly, for the promise of getting his machine back into his hands.

pffff ... security (1)

BlueTrin (683373) | more than 7 years ago | (#18600333)

Next headline:
Security experts find a security breach in Lilo, by physically accessing the machine, a malicious hacker can be root by typing "linux single" at LILO boot !

Re:pffff ... security (1)

wertarbyte (811674) | more than 7 years ago | (#18600463)

a malicious hacker can be root by typing "linux single" at LILO boot !

No he can't. He will need the root password then.

Re:pffff ... security (1)

BlueTrin (683373) | more than 7 years ago | (#18600767)

No it depends of your distrib ... or the way you configured your boot ...

You can also try this "init=/bin/bash single" instead of single ...

Re:pffff ... security (0)

Anonymous Coward | more than 7 years ago | (#18600601)

Alternatively he can just type: $(kernel name) init=/bin/bash

but thats only if the admin doesn't know what hes doing (and hasn't made use of the "restricted" lilo configuration directive and left the bios open, in which case the drives have to be removed entirely)

Nice demo... (1)

Jugalator (259273) | more than 7 years ago | (#18600449)

... of why Microsoft at one point wanted "Fritz chips" in the computers running Vista.

And that was of course also flamed. ;-)

It must be hard being Microsoft these days.

bypassing code using INT 13 (5, Interesting)

cancerward (103910) | more than 7 years ago | (#18600645)

Back in the 1980s Sierra On-Line used to copy protect their adventure games with a copy protection system which involved strangely formatted sectors on the original disk which were impossible to duplicate exactly using standard PC hardware. The loader "sierra.com" used to call a copy-protection program "cpc.com" which loaded data from the disk to decrypt the main program and run it. cpc.com had some of the most obscure, twisty, awful code ever written to prevent debugging and it constantly used different methods to thwart stepping through the program using INT 3 (these were the days before Soft-Ice). But the solution (or "crack") was just dead simple. Just fire up debug, step to the beginning of cpc.com, and copy the vector from INT 3 into the INT 13 vector - then cpc.com stops right at the point where the data from the disk is being loaded, so it can be copied. Despite all the incredibly complex code, cpc.com had to read the data off the disk so there was no way the Sierra programmers could thwart this method. It sounds like the same thing in Vista -- the INT 13 redirection happens before everything else and can't be thwarted.

Re:bypassing code using INT 13 (1)

MORB (793798) | more than 7 years ago | (#18601113)

No matter how convoluted and obfuscated your protection is, there is often a weak spot that you can take advantage of.

I remember lots of protections in amiga games and applications doing things like testing an oddly formated track on the floppy disk or applying some complicated calculations on the data from a keyfile to check it's authenticity... Before returning true or false to indicate whether the protection check was successful.
Some returned some magic number that was then explicitly compared against it's expected value at some points in the code.

Those things were happening a lot when people integrated third party protection systems. Needless to say, cracking these things was like shooting fishes in a barrel.

The most incompetent protection I've seen was a shareware application that embedded the protection checking function in the keyfile itself (which was actually a shared library).

Re:bypassing code using INT 13 (0)

Anonymous Coward | more than 7 years ago | (#18601567)

No matter how convoluted and obfuscated your protection is, there is often a weak spot that you can take advantage of.

Indeed, there has to be a weak spot. When you can change the code that runs, you can make it do anything - you can ensure that the copy protection routines always return the correct values for both copy protection checks and internal integrity checks.

It's the DRM problem again... the best thing that can be hoped for is a "speed bump" to slow down the cracking process. DRM vendors know this, but argue that it still prevents casual copying, so it is still worth buying their software. Bit of a dubious claim, as copy protection schemes have a very long history of causing inconvenience for legitimate users. No wonder the early crackers sometimes referred to cracks as "fixes".

the cost (1)

Bizzeh (851225) | more than 7 years ago | (#18600853)

these "security experts" didnt want to pay for vista, they arnt the type of people who would be on the beta program, so they obviously pirated the RC2 copy, why not do the same for the final? because what they found doesnt work in the final version of vista, so they released all this and tagged it with RC2, just for a pure "look what i did" factor.

Re:the cost (1)

badfish99 (826052) | more than 7 years ago | (#18600911)

Since the hack took several weeks, perhaps they simply didn't want to spend the time needed to repeat it on another version of Vista. Time, after all, is money. Then their remarks about the cost of the work have been misinterpreted as referring to the cost of Vista.

fiRSt (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#18601161)

end, we nned you o8 chair, return

mDod up (-1, Troll)

Anonymous Coward | more than 7 years ago | (#18601441)

fate. Let's not be the system clean w1hat we've known Brilliant plan counterpart, Kreskin Smith only serve DISTRIBUTION MAKE
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?