Kaspersky Reveals the Fundamental Vulnerability of Vista PatchGuard

The fact that it shares the same level with the rootkit

Kaspersky regards the Kernel Patch Protection introduced in 64-bit Windows Vista as a joke. Alisa Shevchenko, Virus analyst, Kaspersky Lab, claims that PatchGuard can "hardly be viewed as providing serious protection against rootkits." In this context, Kaspersky has revealed that the Windows Vista kernel, for 64-bit platforms only, is just "allegedly" immune to modifications.

"It is, by its very nature, vulnerable, as is demonstrated by the existence of documented methods for disabling protection. The major vulnerability within PatchGuard is architectural: the code which ensures protection is executed at the same level as code which it is both designed to protect, and to protect against. This protection has the same rights as a potential attacker, and can be evaded or disabled. Ways in which PatchGuard can be exploited or disabled are already known," explained Shevchenko.

Kaspersky additionally informs that there are rootkits which PatchGuard fails to protect against. The 64-bit Kernel Patch protection in Vista monitors the static structures of the kernel but it doesn't cover dynamic structures. Kaspersky has exemplified with the FU rootkit, a piece of malicious code that functions by modifying dynamic structures. Also, rootkits based on virtual technology are located deeper than the kernel level.

"The fundamental vulnerability of PatchGuard is due to the fact that it functions at the same level it is designed to protect. This means that if a malicious application has succeeded in loading its driver, it will be able to disable PatchGuard. Of course, this assumes the location of the relevant monitoring function is known - but it's been clear for a long time that obscurity has little to do with security," Shevchenko added.

Microsoft however has stated that while PatchGuard is not impervious, it is patchable, and that the Redmond Company will act accordingly if the Kernel Patch protection is breached.


By    9 Feb 2007, 16:04 GMT