AOH :: ISNQ3923.HTM|
Defeating Vista Security with Drivers
Defeating Vista Security with Drivers
Defeating Vista Security with Drivers
Site design & layout copyright © 1986-2014 CodeGods
Forwarded with permission from: Security UPDATE
=== CONTENTS ==================================================
IN FOCUS: Defeating Vista Security with Drivers
NEWS AND FEATURES
- OEM BIOS Emulator Bypasses Vista Activation
- Grisoft Offers Free Antirootkit Tool
- New Storm Worm Outbreak Spreading Fast
- Recent Security Vulnerabilities
GIVE AND TAKE
- Security Matters Blog: 37 Patches on the Way from Oracle
- FAQ: Microsoft SCE 2007
- From the Forum: Vote for Your Favorite IPS and Two-Factor
- Tell Us About the Products You Love!
- Share Your Security Tips
- Encrypt Email According to Policy
RESOURCES AND EVENTS
FEATURED WHITE PAPER
=== SPONSOR: Verio ============================================
Managing Your Web Presence
Application pooling may achieve server density but it can put your
code at risk. Download this free white paper and find out how to ensure
a reliable, secure and scalable Windows-based hosting environment.
=== IN FOCUS: Defeating Vista Security with Drivers ============ by Mark Joseph Edwards, News Editor, mark at ntsecurity / net
A couple of interesting developments came to light in the last couple
of weeks, both of which affect Windows Vista security to some extent.
The first issue centers around Windows Genuine Advantage (WGA). As
you'll learn when you read the related news story, "OEM BIOS Emulator
Bypasses Vista Activation," below, code has been released that can fool
Vista into thinking that it's a genuine copy when it's not. That feat
is accomplished by using a third-party driver.
While on the surface this doesn't seem like a security problem, it
actually is. First of all, imagine some small-to-midsized business
(SMB) trying to save money on a migration to Vista. The company might
shop around to try to find the best price possible on a new software
and hardware combination. The company ends up buying from someone who's
actually selling pirated copies of Vista that have a driver installed
to fool WGA.
Such an unscrupulous seller might just as easily have installed
anything on the machines, including botnets, rootkits, and keyloggers
that could be undetectable by existing security solutions. These
processes could be undetectable because a driver can be used to protect
a process so that for the most part the process can't be inspected by
another process. And if the process's memory space can't be inspected,
then any malware inside it can't be detected.
Two weeks ago, Alex Ionescu released a proof-of-concept tool called D-
Pin Purr 1.0. The tool, which works only on 32-bit versions of Vista,
uses a driver that can protect or unprotect a process. Ionescu wrote,
"It is trivial to make a process protected or unprotected by bypassing
all the code integrity checks and sandbox in which protected processes
are supposed to run." So basically, Ionescu discovered a way to bypass
a major security feature of Windows Vista--one that many vendors have
been complaining about because it prevents their tools from fully
working to some extent or other.
If the tool really works as intended (and while I haven't tested it, I
suspect that it does), then certainly "bad guys" can create a similar
tool to defend their botnet, rootkit, and keylogger code.
Sure, elevated privileges might be required to install drivers into
Vista, which seems to imply that the potential impact is limited.
However, as history clearly shows, intruders routinely combine
vulnerabilities and mix in social engineering, so they might eventually
be able to get a driver installed.
You can read more about Ionescu's tool in his blog at the URL below,
where he also provides a download link for D-Pin Purr.
=== SPONSOR: Neverfail ========================================
The Future of Business Continuity
Having customers depend on your IT services in order to communicate,
purchase, or manage orders is great for your business. But, what
happens when your applications or Web sites are suddenly unavailable?
Download this free white paper and learn how to eliminate application
downtime disruptions of any cause and ensure the continuity of your
=== SECURITY NEWS AND FEATURES ================================
OEM BIOS Emulator Bypasses Vista Activation
While there are known methods of bypassing Windows Vista activation
requirements, a new technique turns out to be the easiest and most
effective so far in defeating Microsoft's Windows Genuine Advantage
Grisoft Offers Free Antirootkit Tool
Grisoft, widely known for its AVG brand of antivirus solutions,
announced that it's now offering a free antirootkit tool, AVG Anti-
Rootkit, for Windows 2000 and Windows XP systems.
New Storm Worm Outbreak Spreading Fast
Several companies, including Postini, iDefense Labs, and the SANS
Institute, are tracking a new outbreak of a variant of the Storm worm
that's producing heavier than normal detection rates around the
Recent Security Vulnerabilities
If you subscribe to this newsletter, you also receive Security
Alerts, which inform you about recently discovered security
vulnerabilities. You can also find information about these
=== SPONSOR: HP ===============================================
Free Brief: Personal HP Workstations = Higher ROI?
Discover why financial services executives get a LOT more out of
their IT investments by investing in HP Personal Workstation
Technology. Quickly learn how workstations ensure accuracy and security
while driving down short and long term operating costs. This quick-read
guide is a must read today.
=== GIVE AND TAKE =============================================
SECURITY MATTERS BLOG: 37 Patches on the Way from Oracle
by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=529DC:57B62BBB09A692790DDAF3D6C62C9E71
As part of Oracle's quarterly critical patch update, the company will
release 37 patches next week. So get ready!
FAQ: Microsoft SCE 2007
by John Savill, http://list.windowsitpro.com/t?ctl=529DA:57B62BBB09A692790DDAF3D6C62C9E71
Q: What is System Center Essentials (SCE) 2007?
Find the answer at
FROM THE FORUM: Vote for Your Favorite IPS and Two-Factor
Tell us which security products are working for you. It's not too
late to vote for the best host-based intrusion prevention system
and the best two-factor authentication solution
TELL US ABOUT THE PRODUCTS YOU LOVE!
What products are you using that save you time or make your workload
a little lighter? What hot product discoveries have you made that other
IT pros need to know about? Let the world know about your experiences
in Windows IT Pro's monthly What's Hot department. If we publish your
story in What's Hot, we'll send you a Best Buy gift card! Send
information about your favorite product and how it has helped you to
SHARE YOUR SECURITY TIPS AND GET $100
Share your security-related tips, comments, or problems and
solutions in Security Pro VIP's Reader to Reader column. Email your
contributions to firstname.lastname@example.org. If we print your submission,
you'll get $100. We edit submissions for style, grammar, and length.
=== PRODUCTS ================================================== by Renee Munshi, email@example.com
Encrypt Email According to Policy
Proofpoint announced a new version of Proofpoint Secure Messaging,
its policy-driven email encryption solution. The new version uses
Voltage Security's Voltage Identity-Based Encryption (IBE) technology
to automatically and dynamically encrypt outbound email based on
customizable policies. The updated Proofpoint Secure Messaging module
will be available in June 2007 as an optional component for the
Proofpoint Messaging Security Gateway appliance and virtual appliance.
Proofpoint Secure Messaging works with the Proofpoint Regulatory
Compliance and Proofpoint Digital Asset Security content-filtering
modules on the appliances. Proofpoint Secure Messaging pricing starts
at $20,000. For more information, go to
=== RESOURCES AND EVENTS ====================================== For more security-related resources, visit
Gain control over the growing amount of file data in your enterprise.
Learn how File Area Networks (FANs) can help you centralize file
consolidation, migration, replication, and failover. Download this
eBook and start streamlining your file management projects today!
One common set of controls can help you manage compliance across
multiple regulations and standards. Download this free IDC white paper
and find out how to map controls to the appropriate regulations and
save time and expense in demonstrating compliance.
You can't prevent nature from throwing floods, hurricanes, and
earthquakes at your IT systems. You can't always control what people
might do to your systems, either. Download this free eBook and learn to
protect your business in the face of both natural and human-made
=== FEATURED WHITE PAPER ======================================
Built-in SQL Server data protection features aren't enough. Learn to
use an automated data protection solution that provides 24x7
availability to meet today's critical business demands.
=== ANNOUNCEMENTS =============================================
Introducing a Unique Security Resource
Security Pro VIP is an online information center that delivers new
articles every week on topics such as perimeter security,
authentication, and system patches. Subscribers also receive tips,
cautionary advice, direct access to our editors, and a host of other
benefits! Order now at an exclusive charter rate and save up to $50!
Grab Your Share of the Spotlight!
Nominate yourself or a peer to become IT Pro of the Month. This is
your chance to get the recognition you deserve! Winners will receive
over $600 in IT resources and be featured in Windows IT Pro. It's easy
to enter--we're accepting June nominations now, but only for a limited
time! Submit your nomination today:
Security UDPATE is brought to you by the Windows IT Pro Web site's
Security page (first URL below) and Security Pro VIP (second URL
Subscribe to Security UPDATE at
Be sure to add Security_UPDATE@list.windowsitpro.com
to your antispam software's list of allowed senders.
To contact us:
About Security UPDATE content -- firstname.lastname@example.org
About technical questions -- http://list.windowsitpro.com/t?ctl=529DF:57B62BBB09A692790DDAF3D6C62C9E71
About your product news -- email@example.com
About your subscription -- firstname.lastname@example.org
About sponsoring Security UPDATE -- email@example.com
Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department
Copyright 2007, Penton Media, Inc. All rights reserved.
Subscribe to InfoSec News