Re: The Kernal Is A Huge Security Whole In Windows

From: Miha Pihler (miha-news_at_atlantis.si)
Date: 07/15/04 

Date: Thu, 15 Jul 2004 20:48:03 +0200

Hi,

for details on Windows File Protection Feature check this article:

Description of the Windows File Protection Feature
http://support.microsoft.com/default.aspx?scid=kb;EN-US;222193

Beside System files, drivers can also be signed, but it is up to
manufacturer to send it to Microsoft for testing and if the drivers pass
Microsoft tests it will be signed.

Digital Signature Benefits for Windows Users
http://www.microsoft.com/winlogo/benefits/signature-benefits.mspx

I don't it's reasonable to ask Microsoft to be responsible for every driver
and every peace of the software written in this world - specially again all
possible combination of hardware and software.
Any software that you install and run on your PC can damage (infect or steal
information from your PC). It is up to you to choose wisely. You have an
option to choose digitally signed drivers...

Mike

"CHANGE USERNAME TO westes" <DELETE_westes@earthbroadcast.com> wrote in
message news:%239Z1cYpaEHA.3664@TK2MSFTNGP12.phx.gbl...
> Regarding the dll cache, I have always wondered how does that get updated
as
> you apply various service packs? Does Microsoft patch the dllcache at
the
> same time? Should we put file security on that cache so that only
> administrators or system can access it?
>
> The easiest way to exploit the security hole I am discussing is obviously
> the device driver driver writer is ridiculous, I'm sorry. You want to
make the virus writer
> responsible for making his device driver secure? :)
>
> --
> Will
> westes AT earthbroadcast.com
>
> "Miha Pihler" <miha-news@atlantis.si> wrote in message
> news:eWHs5LpaEHA.3596@tk2msftngp13.phx.gbl...
> > Hi,
> >
> > critical system files are digitally signed and system checks for this
> > signature. If you replace these files with new one that is not digitally
> > signed system will restore it from e.g. dllcache
> > (%systemroot%/system32/dllcache). If it cannot restore it it will ask
for
> > installation CD. Same thing happens if you change anything in any of
these
> > files -- you invalidate digital signature.
> >
> > You can check digital signatures on files by running "sigverif"...
> >
> > Also all patches and all service packs are digitally signed.
> >
> > I can't say that for system drivers, but that's up on vendors... You can
> see
> > amount of processor used by Kernel if you open Task Manager and click on
> > Performance Tab > View > Show Kernel Times. You can also check some
> > additional settings by clicking on Processes Tab > View > Select
Columns.
> >
> > I hope this helps,
> >
> > Mike
> >
> > "CHANGE USERNAME TO westes" <DELETE_westes@earthbroadcast.com> wrote in
> > message news:eflHw7oaEHA.2840@TK2MSFTNGP11.phx.gbl...
> > > I'm starting to believe that the largest, and most dangerous, security
> > hole
> > > in Windows 2000 is the kernel itself. All a virus needs to do is
> > replace
> > > a key system file that will load into the kernel, or alternately
install
> > as
> > > a device driver, and it can hide its behavior to the system. As far
> as
> > I
> > > can tell, there are no utilities that let me see how much CPU, disk,
or
> > > network activity is performed by any component of the Windows 2000
> kernel.
> > >
> > > On one of my user's machines, her CPU goes to 100% as soon as she
starts
> > up.
> > > We have stopped every single service and application on her machine,
and
> > it
> > > doesn't change anything. Is this a virus? Is it a badly written
> device
> > > driver? Is some hardware generating interrupts that overwhelm the
> device
> > > driver? How can we know?
> > >
> > > As far as I can tell, there is nothing left to do here but re-install,
> > which
> > > risks that the entire sequence may happen yet again. If Microsoft
> > values
> > > security, this is a huge back door that they cannot allow to remain.
> > >
> > > --
> > > Will
> > > westes AT earthbroadcast.com
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: I cannot see the scan when booting up my pc
    ... I still cannot see the loading of system files when I boot up the computer. ... monitor and turn on the computer. ... You can roll back the driver to the previous version. ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: Where i can find ASPIDISK.SYS und ASPIUSB.SYS
    ... so the flash drive and DOS system files are functioning. ... DOS recognises your flash drive. ... ASPI DISK DRIVER for DOS Version 4.01b Copyright... ...
    (comp.os.msdos.programmer)
  • Re: NTBackup issue
    ... There may be a driver issue with the default device being accessed by the program. ... Make sure the system is set to see hidden and system files to see the .msi file in the \valueadd folder. ... I have WIN XP Pro disk and NTBACKUP.MSI in not in the Addedvalue folder? ...
    (microsoft.public.windowsxp.general)
  • RE: RIS Optiplex 280 Problem... Windows 2000 SP4
    ... Nope, no SCSI... ... What's weird is it will RIS fine for a few hours, then stops... ... I'll try adding the driver right now. ... I can copy all the system files ...
    (microsoft.public.win2000.general)
  • Re: i386: pata_cs5520 does not work
    ... Device driver platform lacks bus and class support for being resumed. ... Device driver pci0000:00 lacks bus and class support for being resumed. ...
    (Linux-Kernel)