Symantec Critical of Windows Vista Security

Published: August 16, 2006

by Alex Woodie

Microsoft has taken solid steps to improve Windows security with the upcoming new version, but in some ways it has not gone far enough, and it is still possible to hack through the defenses. These were the conclusions that Symantec came to in three detailed reports it has published over the last five weeks. Microsoft says not to worry because Symantec's conclusions were based a pre-release versions of Vista, and that some of the vulnerabilities have already been addressed.

Security researchers with Symantec's DeepSight Threat Analyst team picked apart beta versions of Windows Vista and issued their findings in three reports, including "Windows Vista Network Attack Surface Analysis: A Broad Overview" published July 11; "Analysis of the Windows Vista Security Model " published July 24, and "Assessment of Windows Vista Kernel-Mode Security," which Symantec released last week. All three reports can be viewed at www.symantec.com/enterprise/security_response/weblog/authors/oliver_friedrichs.html.

Network Stack Rewritten from Ground Up

In its first report, on how Windows Vista's network components stack up, Symantec found reason to be wary, largely because Microsoft has completely rewritten Windows' network stack for Vista. While users are expected to benefit from the new stack in various ways--including integrated support for IPv6 right alongside current IPv4 support--the sheer newness of the code raises the concern of Symantec.

"The amount of new code present in Windows Vista provides many opportunities for new defects. Each new protocol comes with its own collection of security implications that will need to be understood and considered," write the report's authors, Tim Newsham and Jim Hoagland. "In deciding to rewrite the stack, Microsoft has removed a large body of tried and tested code and replaced it with freshly written code, complete with new corner cases and defects. This may provide for a more stable networking stack in the long term, but stability will suffer in the short term.

In Microsoft's defense, the authors admitted that their look into Vista's networking technology were "broad and shallow," and said they expected Microsoft to address many of the shortcomings in pre-release builds of Vista before the operating system is made generally available.

UAC Flaws and Privilege Escalation

In the second paper, "Analysis of the Windows Vista Security Model," Symantec researcher Matthew Conover takes a close look at two of Vista's few security features, including User Access Protection (also often referred to as User Account Control, or UAC) and User Interface Privilege Isolation.

UAC is expected to greatly enhance the security of Windows by preventing users from automatically running with full privileges, which increases the likelihood of hackers and malware compromising a system. However, Microsoft's implementation of UAC--at least the February Vista build--was rife with flaws and vulnerabilities. "By exploiting these flaws, a low privilege, low integrity level process can bypass User Account Protection, and ultimately execute code at a high privilege, high integrity level," Conover writes. By August, Microsoft had fixed some of these flaws and closed the exploit paths.

Microsoft's attempt to accommodate the new security model while maintaining maximum backward compatibility also led to some troublesome findings by Conover, who picked on two "seemingly intractable implementation flaws. First, developers will request too much authority for their programs, he writes. Instead of just requiring read access for a given process, for example, Windows programmers tend to ask for too many permissions, such as access to a registry key. Third-party developers aren't the only programmers going down this path, as the clock in the taskbar and shutdown.exe both require administrative privileges. (Microsoft will undoubtedly fix these problems before Vista ships.) It's worth noting that Yankee Group also had its doubts about the way UAC is being implemented in Vista (see "Yankee Group Gives Mixed Review of Vista Security Features").

The second major issue brought up by Symantec's Conover is the fact that Vista can have several processes created by the same user operating at different integrity levels. "This obviously creates an incentive for a low integrity level process to try to acquire the higher integrity level of the other process created by the same user," he writes. Malicious code authors and spyware writers, in particular, will look for weaknesses in how Internet Explorer 7 attempts to sandbox low integrity processes, and keep them from obtaining more code execution authority.

Windows Vista Kernel Security

The third report, "Assessment of Vista Kernel Mode Security," looks into some of the new kernel-level security features that Microsoft is introducing with Vista. "The kernel mode security enhancements in Windows Vista are quite substantial, resulting in a dramatic reduction of its overall attack surface," Conover writes. "However, we have identified certain weaknesses in the kernel enhancements that may be leveraged by malicious code to undermine these improvements."

Among the problem areas are the new kernel-mode security enhancements in Vista. In the 64-bit versions of Vista, all drivers must be signed by a Class 3 code signing certificate, which are only issued by VeriSign or Microsoft. This enhancement (not available in the 32-bit version of Windows Vista), combined with the improvements Microsoft has made with minimizing administrative privileges, should dramatically cut down on incidences of malware while browsing the Web, where past driver-signing practices made it practically a free-for-all for malware writers.

However, one of the weak links in the new driver-signing scheme are the certificate issuers themselves. "An unscrupulous entrepreneur could register a legitimate business, obtain a publishing certificate from a trusted certificate authority, and then sign drivers on behalf of malicious vendors for a profit," Conover writes. Virtualization technology is another possible way to break the signed-driver requirement in Vista, as a researcher at the recent Black Hat conference demonstrated.

Moreover, the entire driver-signing process can be disabled through the application of binary patches on the winload.exe and ci.dll, Conover writes. "Patching these files at runtime is quite straightforward," he says. "Though these files are protected by Windows Resource Protection (WRP), this can easily be evaded as we have demonstrated."

In Microsoft's defense, Symantec picked apart pre-release versions of Windows Vista for its reports, and Microsoft has already fixed several of the problems that Symantec identified. While Microsoft and Symantec serve the same set of customers, their relationship has grown a little more competitive and a little less cozy lately, thanks to Microsoft's entering the antivirus market currently dominated by Symantec, and the recent lawsuit Symantec filed against Microsoft for alleged theft of intellectual property.

Hopefully, Symantec maintains its high level of Windows Vista security analysis, and keeps Microsoft's toes to the security fire. While Microsoft may kick and scream that it's being unfairly targeted for Windows security failures--a claim that has some backing, if only because Windows has become the dominant operating system--the biggest threat to the progression of PC security is the establishment of a security monoculture. Perhaps more kicking and screaming would be a good thing.