Hacking Windows Vista

My original Hack Windows Vista article received a number of responses from people who felt that the Blue Pill hack described below didn't necessarily mean that Windows Vista had been compromised. I'm not sure I agree: Even a casual examination of the new security controls in Vista will demonstrate that Microsoft is trying to prevent users from making silly mistakes that can lead to successful electronic attacks. And sure enough, the Blue Pill attack does require the user to make a mistake. Compromise or not, Blue Pill should be a cause for alarm for anyone who thinks that Windows Vista will be a security panacea. My take is that Vista will be dramatically more secure than XP. The only question, of course, is whether it will be good enough.

Hacking Windows Vista
Hacking Windows Vista Revisited

I have to give Microsoft some credit: Last week, the company invited hackers at the Black Hat USA 2006 security conference in Las Vegas to hack into Windows Vista after giving them a tour of the upcoming OS's new security features. Hackers at the show came away impressed with both Microsoft's candor and some of the new security features, although many of them added that the improvements were long overdue. But the real news from the show is that Vista was actually successfully hacked the very day that Microsoft made its Black Hat presentation. And that news has to have Microsoft's customers worried.

Sure, Vista's still in beta, but we're in the release candidate (RC) phase of development now and that supposedly means that the next potential Vista milestone is a build of the product that Microsoft considers a candidate for the final release version. (Reality update: In a bit of name bending, the Vista RC1, still expected this month, will have more in common with a beta release than the final shipping version.)

Here's the thing. Vista is feature complete and has been since early this year. Microsoft will no doubt change Vista's security features to prevent the kind of hack that was demonstrated during Black Hat (in which a Polish security researcher used virtualization technologies to bypass Vista's security). But this is exactly the kind of reactive security measure that Microsoft's newly minted and much-ballyhooed security code review was supposed to prevent. It's not hard to imagine other security flaws being exposed after Vista is finalized. What happens then? A monthly deluge of security updates, just like happened with Windows XP.

Joanna Rutkowska, the researcher who demonstrated how to bypass Vista's security, made an interesting comment that pretty much sums up my expectations. "The fact that this mechanism was bypassed does not mean that Vista is completely insecure," she said. "It's just not as secure as advertised. [But] iIt's very difficult to implement a 100 percent-efficient kernel protection." In other words, Vista will be more secure than XP, but will still face security problems. Thus, the status quo is likely to continue. That's a bad sign.

Rutkowska calls her hack Blue Pill, and it uses AMD's Pacifica virtualization technologies, plus a bit of user interaction--bypassing User Account Protection (UAP) by pressing the Accept button in a dialog box--to pull off its magic. Some people might argue that such a complex series of steps speaks well of Vista's security. But in my experience, most of the best hacks are bootstrapped by user error. Humans are pretty much the weakest link in the security chain. It's no wonder, when you think about it, that many of Vista's security features--such as Microsoft Internet Explorer 7 Protected Mode, UAC, and Address Space Layer Randomization (ASLR)--are ultimately designed to help protect us from ourselves.

Security aside, Vista is nowhere near the shape it needs to be in at this stage in the game. Thus, I'm recommending that Microsoft hold off on releasing Vista until the product is really ready rather than releasing it in October to meet an arbitrary release to manufacturing (RTM) date. Microsoft, you can always grandfather in Software Assurance (SA) customers who were counting on getting Vista licenses this year. Do the right thing.

I've also written a tongue-in-cheek overview of my feelings about the readiness of Vista in an article called Is Windows Vista Ready? You might find it entertaining.

This article originally appeared in the August 8, 2006 issue of Windows IT Pro UPDATE.

--Paul Thurrott
August 8, 2006

In my original Hacking Windows Vista commentary (see above), I described Joanna Rutkowska's efforts to bypass Windows Vista security during the Black Hat USA 2006 conference, held recently in Las Vegas. Her hack, called Blue Pill (ostensibly a reference to a scene from "The Matrix"), used AMD's Pacifica virtualization technologies, plus a heaping helping of the oldest hack of all time--human error--to work its magic. Because of these last two points, a number of readers cried foul at my attempts to label this event a valid Vista hack. Microsoft, as you might expect, was quick to disagree as well.

In a posting on the Windows Vista Security blog, Austin Wilson, a director in Microsoft's Windows Client Business Group, described the Blue Pill demonstration as an example of why there is no "silver bullet" when it comes to security. "It's very difficult to protect against an attacker that is sitting at the console of your computer with an administrator command window open," he wrote. "Both [demos that were shown] started by assuming that the person trying to execute the code already had administrative privileges on the computer ... She [demonstrated] a way for someone who has admin level access to attempt to insert unsigned code into the kernel on the x64 versions of Windows Vista."

Wilson says that Microsoft is investigating whether Rutkowska's hack requires the company to make any changes to Vista prior to launch. But Wilson makes a good point: Vista is designed to ensure that users don't typically have administrator-level access, so this sort of hack won't be very common.

Fair enough. My point in publicizing the Black Hat episode wasn't so much to point out that Vista was already successfully hacked, but rather to emphasize that Vista, like Windows XP before it, will be a primary attack vector for hackers because of its popularity. The question, of course, is whether Vista will suffer from the same withering array of electronic attacks that dogs XP today. The Black Hat episode is simply a warning that the bad guys will be looking very closely at Vista indeed.

But there is more evidence that Vista won't be impervious to attack. Last week, Microsoft actually released two critical security updates for Vista Beta 2 and later. The software maker attempted to paint these releases in a positive note, with Microsoft's Alex Heaton noting that "Windows Vista is the first major Microsoft product release that will be serviced with security updates throughout the beta process ... Of the seven critical Windows updates released in August, only two (MS06-042 and MS06-051) also affect Vista Beta 2 or later."

"Only" two? I mean no offense, but was that meant to be funny? If so, then customers might also find it hilarious that Microsoft doesn't include information about beta products in formal security bulletins. Fortunately, you can find out a bit about them in the Microsoft article, Available updates for Microsoft Windows Vista Beta 2, which highlights all Vista updates that Microsoft has released since Beta 2.

My point here is simple: Although Vista is a huge step up from XP from a security standpoint--honestly, an absolutely necessary and commendable upgrade--it shouldn't be viewed as a panacea of any kind. If this summer's handful of Vista critical security updates is any indication, Microsoft's corporate customers will be justified in making a slow, measured migration to Vista. Service Pack 1 (SP1) anyone?

This article originally appeared in the August 22, 2006 issue of Windows IT Pro UPDATE.

--Paul Thurrott
August 23, 2006