Security threats Toolkit

Kaspersky predicts Vista security holes

Tags:
Vista

Tom Espiner ZDNet.co.uk

Published: 11 Dec 2006 14:13 GMT

Antivirus experts from Kaspersky Labs have predicted that 90 percent of current malware will run on Microsoft's latest operating system, Windows Vista.

Although at the moment Vista appears to be more secure than previous Windows operating systems, Kaspersky researchers warned last week that as Vista becomes more popular, it will increasingly become a target for hackers. "We're not asking whether vulnerabilities will be found, but when," said Alexander Gostev, principal antivirus researcher for Kaspersky.

According to Gostev, one of the first pieces of the operating system to be attacked will be PatchGuard, the code that protects the Vista kernel. "One of the first things to be targeted will be the technology which is meant to make getting access to the kernel more difficult," said Gostev. "Particularly because there are already approaches for evaluating this technology."

PatchGuard, or kernel patch protection, attempts to protect the Vista kernel from unauthorised modification. It will lock down the system if it detects an unauthorised patch of certain kernel data structures or code.

In the summer, rootkit researcher Joanna Rutkowska demonstrated a signed driver requirement bypass at Defcon 2006. Hackers could try to install malware directly to the kernel using this method as drivers run in kernel space, and the signed driver requirement can be programatically disabled fairly simply.

Another target for hackers will be the system of user privileges — User Account Control (UAC), which can be used to restrict users' administrative rights. For example, it could prevent them from downloading executable code. The probable attack vector will be Internet Explorer 7 (IE7), the web browser bundled with Vista, said Gostev.

"In IE7 Microsoft fixed old vulnerabilities, but new vulnerabilities are being found. Hackers and virus writers will attempt to get around user defences by exploiting the browser," said Gostev. He added that it is already possible to circumvent UAC.

"There are tens of thousands of viruses which are fully functional just under a user account. Nine out of 10 contemporary viruses will function under Vista — overall UAC will not make much difference. Users still have the right to send and receive email — hackers will program email worms."

Gostev predicted that UAC would not be popular with users anyway, as they would find it too restrictive. "Users are not going to want to work within a restrictive system. They'll disable anything which says you can't download, you can't install. There's always going to be the human factor — people always get in there and disable stuff they don't like," said Gostev.