Start
About
FAQ
Blogroll
Shop
A few days ago I briefly mentioned a special driver, called Atsiv, that allows unsigned drivers to be loaded. The blogosphere has since been blogging extensively about it, and Microsoft has taken notice. Today, Microsoft’s Windows Vista Security Blog addressed the issue, and it’s obvious they weren’t too happy about it.
Released by Linchpin Labs, which is a privately-funded, security research and software development company with offices in Sydney, Australia and Ottawa, Canada, Atsiv is described on their website as:
…a command line tool that allows the user to load and unload signed or unsigned drivers on 32 and 64 bit versions of Windows XP, Windows 2K3 and Windows Vista. Atsiv is designed to provide compatibility for legacy drivers and to allow the hobbyist community to run unsigned drivers without rebooting with special boot options or denial of service under Vista.
Scott Field, the Windows Security Architect at Microsoft, today described how the Atsiv tool conflicts with the Kernel Mode Code Signing (KMCS) policy included in Windows Vista x64 editions, and how it allows unsigned kernel mode code to load and not be visible to commonly deployed tools. This isn’t considered a security threat, since loading Atsiv requires administrative privileges, and Scott goes on to describe how all of Vista’s defenses worked as planned. What’s strange is that despite what appears to be a harmless tool that can only be installed with a users permission, Microsoft has responded very seriously, making the tool unusable on the typical install:
Microsoft is committed to protecting its customers from potential as well as actual security threads; accordingly, we are responding to this issue as follows:
- Windows Defender released a signature update on August 2, 2007 that allows detection, blocking, and removal of the current Atsiv driver. Classification of the Atsiv software was done in accordance with the objective criteria used by the Windows Defender team to assess the characteristics of potentially unwanted software.
- Certificate revocation has occurred as of August 2, 2007. Microsoft has worked with partners in the code signing certification authority ecosystem to assess the Atsiv issue. VeriSign has revoked the code signing key used to sign the Atsiv kernel driver, which means the code signing key will no longer be considered valid.
- The security team at Microsoft is investigating adding the revoked key to the kernel mode code signing revocation list, as an additional defense in depth measure. The kernel mode revocation mechanism requires a system reboot in order for the new revocation list to take effect, which is consistent with other Microsoft updates which require and subsequently trigger a reboot.
Now this wouldn’t be the first time that I completely misunderstood something, but it sure seems by this quick and strong response that this issue is more serious than Microsoft is letting on. Will we see this tool modified in some way and incorporated in some form of virus attack? Time will tell, but I know my machine has already received the update that will detect and kill it, at least in it’s current form.
Digg
Mixx
Propeller
Slashdot
Stumble
Tips and Tricks
Windows Updates
Hotfixes
Keyboard Shortcuts
Vista's Services
Vista's Commands
Product Reviews
Glossary
Videos
Web Links
Comments
David
Aug 5, 2007 at 5:38 am
Read some of the comments from the msdn article:-
—
Wow, no sooner than I manage to get my parallel LCD working in Vista x64, than MS break it again.
Whilst I have some sympathy for MS’s position here, I still believe that I should be able to control what runs on my hardware. On top of the fact that I never got BSOD’s on XP (x64) when it was using unsigned drivers.
I’m still suspect this is all about DRM. But as I don’t want to play any DRM’d media, I don’t see a lot of point in that stopping me run unsigned drivers either.
I’m so grateful to MS for not allowing me to use my own hardware at my own risk.
—-
I wouldn’t automatically classify loading unsigned kernel code on X64 Windows as “malware”. It could enable malware, but it could also enable open source drivers with the knowledge and consent of the computer owner. I have trouble with “might be used for evil” being the standard for certificate revocation.
—
Congratulations Microsoft you revoked a certificate for a useful tool that did exactly what it advertised.
What are you doing to stop real malware that don’t advertise? Or as Joanna Rutkowska pointed out insert intentional vulnerabilities?
Ben
Aug 5, 2007 at 5:00 pm
It would appear that Microsoft’s aim is to ensure that peoples personal computers does what Microsoft wants them to do rather than necessarily what the owner wants them to do.
Recently I bought a Bluetooth headset so I could make voip calls. I expected that I would be able to use the Bluetooth adapter in my computer and connect to it. Unfortunately the Bluetooth drivers shipped with Vista would only recognise the device but could not support hands free audio. I was able to get some 3rd party drivers, unfortunately they were not signed.
Thanks to Atsiv I could freely download a tool which enabled me to load my unsigned Bluetooth drivers without affecting the features of the operating system, namely being restricted from playing certain DRM media. While the whole issue of DRM is a controversial and complicated matter, I don’t feel that in this case by simply wanting to use the Bluetooth device I bought with the computer and operating system I also bought should be interpreted as a means to circumvent copyright.
Worse still, if I was unlucky enough to be running Vista x64 edition, I would have to press F8 each time the computer boots up and manually select the option to load unsigned drivers.
I appreciated the tool Atsiv that enabled me a choice I felt I should have had already with the operating system I purchased. I feel less appreciative of the efforts of Microsoft to remove this choice from me.
I am also concerned about the implications of Microsoft’s ability to have the signing certificate revoked. My understanding of signing certificate is protection to the end user that the file (in this case the Astsiv driver) has not been modified since it was signed by the author. The author is identified through the signing process giving me the choice as to whether I want to trust this. If I trust it then I can be confident that it has not been modified by someone else to do something else. In this case the program does exactly what it claimed. I installed it myself, I read the document describing what it would do, and am happy to have this running on my system. In addition the UAC mechanism works as intended to protect my computer from a malicious program attempting to install Atsiv without my knowledge.
However it appears that Microsoft has decided to take the signing authority further and is using it to ensure that programs do not contravene Microsoft’s self created policies.
This is an interesting case of Microsoft not only being self appointed police, but self appointed policy makers.
It should be noted that there is in fact nothing illegal about the Atsiv utility, nor is it illegal for me to use a Bluetooth headset with Vista. There is no law that states unsigned drivers must not be loaded into the kernel of an operating system, this is simply something Microsoft themselves have decided.
While the circumvention of DRM may be illegal in certain jurisdictions, the idea that Atsiv may be used in the process of circumventing it is a very weak argument. Microsoft themselves release a product called Visual Studio. This contains various compilers, assemblers, and an entire SDK for programming anything on a windows platform. Visual Studio can be used to write a program designed for bypassing DRM or in fact any thing else the author intended, whether for good of for malicious reasons. Malware can, and most probably is, written using Visual Studio.
Now I do not claim that Visual Studio is in anyway a malicious program, it simply does what it advertises it does. It enables people to write programs of their own choosing. Likewise Atsiv does nothing malicious itself, it simply allows people to load other drivers of their choosing. I would argue that if Atsiv is to have its signing certificate revoked, then under same reasoning Visual Studio should also have its certificates revoked.
One final comment I would like to make is the fact Microsoft’s response to this does nothing to protect users from malware. As Atsiv demonstrates, it is very easy for anyone with a few hundred dollars to get a signing authority. While this might be a deterrent to some authors, the Malware industry is big business these days and will not be a hindrance to them whatsoever. I fully expect the next time a major music distributor decides to embed a root kit on their CDs it will be signed, and therefore allowed right in by Microsoft.
Ben.
Leave a Comment