[ISN] Defeating Vista Security with Drivers

From: InfoSec News (alerts@private)
Date: Wed Apr 18 2007 - 23:05:15 PDT


Forwarded with permission from: Security UPDATE <Security_UPDATE (at) list.windowsitpro.com>

=== CONTENTS ===================================================

IN FOCUS: Defeating Vista Security with Drivers

NEWS AND FEATURES
   - OEM BIOS Emulator Bypasses Vista Activation
   - Grisoft Offers Free Antirootkit Tool
   - New Storm Worm Outbreak Spreading Fast
   - Recent Security Vulnerabilities

GIVE AND TAKE
   - Security Matters Blog: 37 Patches on the Way from Oracle
   - FAQ: Microsoft SCE 2007
   - From the Forum: Vote for Your Favorite IPS and Two-Factor 
Authentication Solutions
   - Tell Us About the Products You Love!
   - Share Your Security Tips

PRODUCTS
   - Encrypt Email According to Policy

RESOURCES AND EVENTS

FEATURED WHITE PAPER

ANNOUNCEMENTS


=== SPONSOR: Verio =============================================

Managing Your Web Presence
   Application pooling may achieve server density but it can put your 
code at risk. Download this free white paper and find out how to ensure 
a reliable, secure and scalable Windows-based hosting environment.
   http://list.windowsitpro.com/t?ctl=529CE:57B62BBB09A692790DDAF3D6C62C9E71


=== IN FOCUS: Defeating Vista Security with Drivers =============
   by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

A couple of interesting developments came to light in the last couple 
of weeks, both of which affect Windows Vista security to some extent. 
The first issue centers around Windows Genuine Advantage (WGA). As 
you'll learn when you read the related news story, "OEM BIOS Emulator 
Bypasses Vista Activation," below, code has been released that can fool 
Vista into thinking that it's a genuine copy when it's not. That feat 
is accomplished by using a third-party driver.

While on the surface this doesn't seem like a security problem, it 
actually is. First of all, imagine some small-to-midsized business 
(SMB) trying to save money on a migration to Vista. The company might 
shop around to try to find the best price possible on a new software 
and hardware combination. The company ends up buying from someone who's 
actually selling pirated copies of Vista that have a driver installed 
to fool WGA. 

Such an unscrupulous seller might just as easily have installed 
anything on the machines, including botnets, rootkits, and keyloggers 
that could be undetectable by existing security solutions. These 
processes could be undetectable because a driver can be used to protect 
a process so that for the most part the process can't be inspected by 
another process. And if the process's memory space can't be inspected, 
then any malware inside it can't be detected. 

Two weeks ago, Alex Ionescu released a proof-of-concept tool called D-
Pin Purr 1.0. The tool, which works only on 32-bit versions of Vista, 
uses a driver that can protect or unprotect a process. Ionescu wrote, 
"It is trivial to make a process protected or unprotected by bypassing 
all the code integrity checks and sandbox in which protected processes 
are supposed to run." So basically, Ionescu discovered a way to bypass 
a major security feature of Windows Vista--one that many vendors have 
been complaining about because it prevents their tools from fully 
working to some extent or other. 

If the tool really works as intended (and while I haven't tested it, I 
suspect that it does), then certainly "bad guys" can create a similar 
tool to defend their botnet, rootkit, and keylogger code. 

Sure, elevated privileges might be required to install drivers into 
Vista, which seems to imply that the potential impact is limited. 
However, as history clearly shows, intruders routinely combine 
vulnerabilities and mix in social engineering, so they might eventually 
be able to get a driver installed. 

You can read more about Ionescu's tool in his blog at the URL below, 
where he also provides a download link for D-Pin Purr. 
   http://list.windowsitpro.com/t?ctl=529E1:57B62BBB09A692790DDAF3D6C62C9E71


=== SPONSOR: Neverfail =========================================

The Future of Business Continuity
   Having customers depend on your IT services in order to communicate, 
purchase, or manage orders is great for your business. But, what 
happens when your applications or Web sites are suddenly unavailable? 
Download this free white paper and learn how to eliminate application 
downtime disruptions of any cause and ensure the continuity of your 
business.
   http://list.windowsitpro.com/t?ctl=529CA:57B62BBB09A692790DDAF3D6C62C9E71


=== SECURITY NEWS AND FEATURES =================================

OEM BIOS Emulator Bypasses Vista Activation
   While there are known methods of bypassing Windows Vista activation 
requirements, a new technique turns out to be the easiest and most 
effective so far in defeating Microsoft's Windows Genuine Advantage 
(WGA) technology.
   http://list.windowsitpro.com/t?ctl=529D7:57B62BBB09A692790DDAF3D6C62C9E71

Grisoft Offers Free Antirootkit Tool
   Grisoft, widely known for its AVG brand of antivirus solutions, 
announced that it's now offering a free antirootkit tool, AVG Anti-
Rootkit, for Windows 2000 and Windows XP systems.
   http://list.windowsitpro.com/t?ctl=529D5:57B62BBB09A692790DDAF3D6C62C9E71

New Storm Worm Outbreak Spreading Fast
   Several companies, including Postini, iDefense Labs, and the SANS 
Institute, are tracking a new outbreak of a variant of the Storm worm 
that's producing heavier than normal detection rates around the 
Internet.
   http://list.windowsitpro.com/t?ctl=529D6:57B62BBB09A692790DDAF3D6C62C9E71

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security 
Alerts, which inform you about recently discovered security 
vulnerabilities. You can also find information about these 
discoveries at
   http://list.windowsitpro.com/t?ctl=529D0:57B62BBB09A692790DDAF3D6C62C9E71


=== SPONSOR: HP ================================================

Free Brief: Personal HP Workstations = Higher ROI?
   Discover why financial services executives get a LOT more out of 
their IT investments by investing in HP Personal Workstation 
Technology. Quickly learn how workstations ensure accuracy and security 
while driving down short and long term operating costs. This quick-read 
guide is a must read today.
   http://list.windowsitpro.com/t?ctl=529DE:57B62BBB09A692790DDAF3D6C62C9E71


=== GIVE AND TAKE ==============================================

SECURITY MATTERS BLOG: 37 Patches on the Way from Oracle
   by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=529DC:57B62BBB09A692790DDAF3D6C62C9E71

As part of Oracle's quarterly critical patch update, the company will 
release 37 patches next week. So get ready!
   http://list.windowsitpro.com/t?ctl=529D8:57B62BBB09A692790DDAF3D6C62C9E71

FAQ: Microsoft SCE 2007
   by John Savill, http://list.windowsitpro.com/t?ctl=529DA:57B62BBB09A692790DDAF3D6C62C9E71 

Q: What is System Center Essentials (SCE) 2007?

Find the answer at
   http://list.windowsitpro.com/t?ctl=529D4:57B62BBB09A692790DDAF3D6C62C9E71

FROM THE FORUM: Vote for Your Favorite IPS and Two-Factor 
Authentication Solutions 
   Tell us which security products are working for you. It's not too 
late to vote for the best host-based intrusion prevention system
   http://list.windowsitpro.com/t?ctl=529C9:57B62BBB09A692790DDAF3D6C62C9E71
and the best two-factor authentication solution
   http://list.windowsitpro.com/t?ctl=529C8:57B62BBB09A692790DDAF3D6C62C9E71

TELL US ABOUT THE PRODUCTS YOU LOVE!
   What products are you using that save you time or make your workload 
a little lighter? What hot product discoveries have you made that other 
IT pros need to know about? Let the world know about your experiences 
in Windows IT Pro's monthly What's Hot department. If we publish your 
story in What's Hot, we'll send you a Best Buy gift card! Send 
information about your favorite product and how it has helped you to 
whatshot@private 

SHARE YOUR SECURITY TIPS AND GET $100
   Share your security-related tips, comments, or problems and 
solutions in Security Pro VIP's Reader to Reader column. Email your 
contributions to r2r@private If we print your submission, 
you'll get $100. We edit submissions for style, grammar, and length.


=== PRODUCTS ===================================================
   by Renee Munshi, products@private

Encrypt Email According to Policy
   Proofpoint announced a new version of Proofpoint Secure Messaging, 
its policy-driven email encryption solution. The new version uses 
Voltage Security's Voltage Identity-Based Encryption (IBE) technology 
to automatically and dynamically encrypt outbound email based on 
customizable policies. The updated Proofpoint Secure Messaging module 
will be available in June 2007 as an optional component for the 
Proofpoint Messaging Security Gateway appliance and virtual appliance. 
Proofpoint Secure Messaging works with the Proofpoint Regulatory 
Compliance and Proofpoint Digital Asset Security content-filtering 
modules on the appliances. Proofpoint Secure Messaging pricing starts 
at $20,000. For more information, go to
   http://list.windowsitpro.com/t?ctl=529E2:57B62BBB09A692790DDAF3D6C62C9E71


=== RESOURCES AND EVENTS =======================================
   For more security-related resources, visit
   http://list.windowsitpro.com/t?ctl=529D9:57B62BBB09A692790DDAF3D6C62C9E71

Gain control over the growing amount of file data in your enterprise. 
Learn how File Area Networks (FANs) can help you centralize file 
consolidation, migration, replication, and failover. Download this 
eBook and start streamlining your file management projects today!
   http://list.windowsitpro.com/t?ctl=529CD:57B62BBB09A692790DDAF3D6C62C9E71

One common set of controls can help you manage compliance across 
multiple regulations and standards. Download this free IDC white paper 
and find out how to map controls to the appropriate regulations and 
save time and expense in demonstrating compliance. 
   http://list.windowsitpro.com/t?ctl=529CC:57B62BBB09A692790DDAF3D6C62C9E71

You can't prevent nature from throwing floods, hurricanes, and 
earthquakes at your IT systems. You can't always control what people 
might do to your systems, either. Download this free eBook and learn to 
protect your business in the face of both natural and human-made 
disasters. 
   http://list.windowsitpro.com/t?ctl=529CF:57B62BBB09A692790DDAF3D6C62C9E71


=== FEATURED WHITE PAPER =======================================

Built-in SQL Server data protection features aren't enough. Learn to 
use an automated data protection solution that provides 24x7 
availability to meet today's critical business demands.  
   http://list.windowsitpro.com/t?ctl=529CB:57B62BBB09A692790DDAF3D6C62C9E71


=== ANNOUNCEMENTS ==============================================

Introducing a Unique Security Resource 
   Security Pro VIP is an online information center that delivers new 
articles every week on topics such as perimeter security, 
authentication, and system patches. Subscribers also receive tips, 
cautionary advice, direct access to our editors, and a host of other 
benefits! Order now at an exclusive charter rate and save up to $50! 
   http://list.windowsitpro.com/t?ctl=529D1:57B62BBB09A692790DDAF3D6C62C9E71

Grab Your Share of the Spotlight!  
   Nominate yourself or a peer to become IT Pro of the Month. This is 
your chance to get the recognition you deserve! Winners will receive 
over $600 in IT resources and be featured in Windows IT Pro. It's easy 
to enter--we're accepting June nominations now, but only for a limited 
time! Submit your nomination today: 
   http://list.windowsitpro.com/t?ctl=529DD:57B62BBB09A692790DDAF3D6C62C9E71


================================================================

Security UDPATE is brought to you by the Windows IT Pro Web site's 
Security page (first URL below) and Security Pro VIP (second URL 
below).
   http://list.windowsitpro.com/t?ctl=529DB:57B62BBB09A692790DDAF3D6C62C9E71
   http://list.windowsitpro.com/t?ctl=529E0:57B62BBB09A692790DDAF3D6C62C9E71

Subscribe to Security UPDATE at
   http://list.windowsitpro.com/t?ctl=529D3:57B62BBB09A692790DDAF3D6C62C9E71

Be sure to add Security_UPDATE@private 
to your antispam software's list of allowed senders.

To contact us: 
   About Security UPDATE content -- letters@private
   About technical questions -- http://list.windowsitpro.com/t?ctl=529DF:57B62BBB09A692790DDAF3D6C62C9E71
   About your product news -- products@private
   About your subscription -- windowsitproupdate@private
   About sponsoring Security UPDATE -- salesopps@private

View the Windows IT Pro privacy policy at
   http://list.windowsitpro.com/t?ctl=529D2:57B62BBB09A692790DDAF3D6C62C9E71

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2007, Penton Media, Inc. All rights reserved.


__________________________
Subscribe to InfoSec News
http://www.infosecnews.org



This archive was generated by hypermail 2.1.3 : Wed Apr 18 2007 - 23:12:06 PDT