In the August 8 edition of Windows IT Pro Update ("Hacking Windows Vista" at http://windowsitpro.com/Article/ArticleID/93108/93108.html ), I described Joanna Rutkowska's efforts to bypass Windows Vista security during the Black Hat USA 2006 conference, held recently in Las Vegas. Her hack, called Blue Pill (ostensibly a reference to a scene from "The Matrix"), used AMD's Pacifica virtualization technologies, plus a heaping helping of the oldest hack of all time--human error--to work its magic. Because of these last two points, a number of readers cried foul at my attempt to label this event a valid Vista hack. Microsoft, as you might expect, was quick to disagree as well.
In a posting on the Windows Vista Security blog (see URL below), Austin Wilson, a director in Microsoft's Windows Client Business Group, described the Blue Pill demonstration as an example of why there is no "silver bullet" when it comes to security. "It's very difficult to protect against an attacker that is sitting at the console of your computer with an administrator command window open," he wrote. "Both \[demos that were shown\] started by assuming that the person trying to execute the code already had administrative privileges on the computer ... She \[demonstrated\] a way for someone who has admin level access to attempt to insert unsigned code into the kernel on the x64 versions of Windows Vista."
Wilson says that Microsoft is investigating whether Rutkowska's hack requires the company to make any changes to Vista prior to launch. But Wilson makes a good point: Vista is designed to ensure that users don't typically have administrator-level access, so this sort of hack won't be very common.
Fair enough. My point in publicizing the Black Hat episode wasn't so much to point out that Vista was already successfully hacked, but rather to emphasize that Vista, like Windows XP before it, will be a primary attack vector for hackers because of its popularity. The question, of course, is whether Vista will suffer from the same withering array of electronic attacks that dogs XP today. The Black Hat episode is simply a warning that the bad guys will be looking very closely at Vista indeed.
But there is more evidence that Vista won't be impervious to attack. Last week, Microsoft actually released two critical security updates for Vista Beta 2 and later. The software maker attempted to paint these releases in a positive note, with Microsoft's Alex Heaton noting that "Windows Vista is the first major Microsoft product release that will be serviced with security updates throughout the beta process ... Of the seven critical Windows updates released in August, only two (MS06-042 and MS06-051) also affect Vista Beta 2 or later."
"Only" two? I mean no offense, but was that meant to be funny? If so, then customers might also find it hilarious that Microsoft doesn't include information about beta products in formal security bulletins. Fortunately, you can find out a bit about them in the Microsoft article," Available updates for Microsoft Windows Vista Beta 2" (http://support.microsoft.com/kb/921583/en-us ), which highlights all Vista updates that Microsoft has released since Beta 2:
My point here is simple: Although Vista is a huge step up from XP from a security standpoint--honestly, an absolutely necessary and commendable upgrade--it shouldn't be viewed as a panacea of any kind. If this summer's handful of Vista critical security updates is any indication, Microsoft's corporate customers will be justified in making a slow, measured migration to Vista. Service Pack 1 (SP1) anyone?
Back From Black Hat (Windows Vista Security Blog)