Microsoft has quietly beefed up a key defensive feature of 64-bit Windows Vista to better protect the operating system against hacks that have plagued it for weeks.
The update to Vista’s Kernel Patch Protection, aka PatchGuard, was issued through Windows Update as a high-priority download, but not as a patch per se. Microsoft, in fact, denied that it was a security fix. “While this update adds additional checks to the Kernel Patch Protection system, it does not involve a security vulnerability,” an advisory posted earlier this week by the Microsoft Security Response Centre (MSRC) stated. “The update does increase the reliability, performance, and resiliency provided by Kernel Patch Protection.”
Although the update targets all 64-bit editions of Windows, it’s Vista that stands out by reason of recent events. Since late July, a pair of utilities have sidestepped a crucial Vista security feature that requires drivers to be signed by a valid digital certificate. Both utilities piggybacked unsigned code onto a legitimate driver to get the former past Vista’s defences and into the kernel.
First off the mark four weeks ago was Australian developer Linchpin Labs, which released Atsiv (Vista spelled backward), a utility that allowed users to load unsigned drivers to the Vista kernel. Within days, Microsoft had the certificate revoked, forcing Linchpin to throw in the towel.
Canadian researcher Alex Ionescu last week took advantage of a flaw in a Vista video driver from Advanced Micro Devices’s ATI Technologies unit to unveil Purple Pill, another utility that allowed unsigned drivers to be loaded into the kernel. Ionescu quickly pulled Purple Pill once he realised that the ATI driver had not been patched.
“[Purple Pill] had embedded in it an ATI signed driver that would be dropped to disk and loaded (a similar approach to Atsiv),” said Symantec analyst Ollie Whitehouse in a posting to the company’s security blog last week. "However it would appear that this signed driver contained a design error which allows you to use it to load any arbitrary driver even if they are not signed.”
For its part, ATI refreshed its Catalyst video driver for Vista to patch against a repeat of Purple Pill.