SecurityRatty: Microsoft Hits Back at Atsiv

This is cache of http://feeds.ziffdavisenterprise.com/~r/RSS/cheap_hack/~3/140154984/microsoft_hits_back_at_atsiv.html. Cache is the snapshot of article that we took when we index feed.
To see original page click here.
We are not affiliated with the authors of this article and not responsible for its content.

Microsoft Hits Back at Atsiv

2007-08-02 22:17:32 by Editor in Cheap Hack

My current column describes Atsiv, a tool for loading unsigned kernel code in Windows Vista x64.

Perhaps I was the one who alerted Microsoft, but it responded tonight pretty strongly. As described by Scott Field, Windows Security Architect, in the Windows Vista Security blog, Microsoft has taken the following actions:

It (actually VeriSign) has revoked the code-signing certificate used in Atsiv. Such certificates from VeriSign cost at least $431/year, and that's if you commit to several years.
Microsoft is thinking of adding it to their own revocation list. This confuses me; why would it be good enough for VeriSign's revocation list, but Microsoft is only looking into putting it in its own? I've asked.
Best of all: It has added signatures to Windows Defender to detect Atsiv, at least the current version of it. Source for Atsiv is supposedly available (although I didn't see a link for it on the Linchpin Labs site), so it should be possible to write a new version that Defender won't detect if you're looking forward to losing your own code-signing certificate.

The blog also confirms—I think—my fear that certificate revocation is only checked at driver load/boot time. This means, as Field says in the blog, that Atsiv can continue to run at least until the system reboots. I'm not sure I have all the facts on this. It seems to me that it at least should provide some manual check option that users could schedule to run periodically. The system should probably throw an exception or something similarly dramatic if the cert for a running driver is determined to be revoked.