Microsoft looks for ways to combat Blue Pill, code-signing bypass

[crookbond]

After security researcher Joanna Rutkowska Thursday demonstrated how it’s possible to circumvent security in Microsoft’s Vista beta software and install a rootkit called Blue Pill, Microsoft said it intends to find ways to stop both potential threats before Vista ships.

At the Black Hat conference, Rutkowska, security researcher at Singapore-based firm COSEINC, showed that she found a way to bypass the Vista integrity-checking process for loading unsigned code into the Vista kernel. Then she presented Blue Pill, a rootkit she created based on Advanced Micro Devices (AMD) Secure Virtual Machine, Pacifica.

On bypassing the signature-checking mechanism for device drivers that Microsoft is including in Vista to prevent loading of malware or unauthorized software, Rutkowska said, “The fact that this mechanism was bypassed does not mean that Vista is completely insecure. It’s just not as secure as advertised.” She added: “It’s very difficult to implement a 100% efficient kernel protection in any general-purpose operating system.”

Source : http://www.networkworld.com/news/200...blue-pill.html

plz mention the rest of the story, to prevent ranting

1) the Bug was found & hacked on an older build of Vista, this bug is now fixed

2) The hacker used Administrative account to hack; now in normal user case, anything like that will be prevented with UAC

3) This was a driver signing flaw, MS already states from a long time, that users should go for WHQL or trusted drivers only