Microsoft Has Verisign Revoke Atsiv Certificate

Microsoft Corp. last week slammed the door on a free utility out of Australia that outflanked one the company's touted security features in Windows Vista by having the program's digital certificate revoked.

LinchpinLabs' Atsiv utility, released July 20, used a signed driver to load other, unsigned code, into the Vista kernel, according to U.S.-based Symantec Corp. researcher Ollie Whitehouse. Atsiv, said Whitehouse, thus let users circumvent a feature of the 64-bit version of Vista that allows only digitally-signed code to be loaded into the operating system's kernel. The digital signing requirement is one way Vista tries to stymie hackers from infiltrating the kernel -- the heart of the OS -- with, among other things, rootkit cloaking technologies that hide malware from security software.

"This is rootkit behavior," said Whitehouse last Monday.

Atsiv's developers, on the other hand, have touted the utility as a tool useful for loading unsigned, but legitimate, drivers into Vista 64-bit.

Friday, Microsoft announced it had worked with VeriSign, the company that provided the certificate to LinchpinLabs, to have the code signing key revoked, said Scott Field, a Windows security architect in a posting to the Vista security team's blog. "VeriSign has revoked the code signing key used to sign the Atsiv kernel driver [as of Aug. 2], which means the code signing key will no longer be considered valid," Field said.

View: Full Article
News source: PCWorld

Report a problem with article
Previous Story

California's Violent Game Law Gets Blocked

Next Story

Microsoft's $1.5 Billion MP3 Fine Dropped

31 Comments

View more comments

markjensen said,
As well as useful things, such as running your older hardware on older drivers in Vista, which is what the driver loader utility did.

You're right in that it does have legitimate uses but could also open the door for rootkits. Drivers for most modern hardware should be available for Vista x64 anyway, and I think the number of people using very old hardware with this OS would be low.

markjensen said,
As well as useful things, such as running your older hardware on older drivers in Vista, which is what the driver loader utility did.

Even if it is useful it might have problems, running code that is not controlled in any way can lead to serious problems for users, BSOD and so on. A software firm must control what is done to it's products or else users will start badmouthing them for 3rd party problems. There could have other ways of granting users the ability to run older hardware on newer releases, but if no one needs new hardware companies will go bankrupt...

Rupert said,

You're right in that it does have legitimate uses but could also open the door for rootkits. Drivers for most modern hardware should be available for Vista x64 anyway, and I think the number of people using very old hardware with this OS would be low.

Forks can be used to stab people in the eyes. Does that mean we should ban forks? It does if you want to sell people a new kind of fork that has a built-in "No eye poking" "feature", especialy if that measn that anyone who wants to make one of these new kinds of fork has to pay you for the privilege.
This is all about selling people a false sense of security. Vista's so-called security measures are mostly smoke and mirrors, but so long as they can convince the large majority of their users that it's "More secure", they can pretend that it's so. Hackers will bypass every security meansure Microsoft sells us: Always have, always will.
Now back off before I poke you in the eye with a non-Microsoft fork.

Croquant said,

Forks can be used to stab people in the eyes. Does that mean we should ban forks? It does if you want to sell people a new kind of fork that has a built-in "No eye poking" "feature", especialy if that measn that anyone who wants to make one of these new kinds of fork has to pay you for the privilege.
This is all about selling people a false sense of security. Vista's so-called security measures are mostly smoke and mirrors, but so long as they can convince the large majority of their users that it's "More secure", they can pretend that it's so. Hackers will bypass every security meansure Microsoft sells us: Always have, always will.
Now back off before I poke you in the eye with a non-Microsoft fork. :happy:

Question: If Vista new security features are nothing but smoke and mirrors, then why have there not been any major security problems for it?

SharpGreen said,
Question: If Vista new security features are nothing but smoke and mirrors, then why have there not been any major security problems for it?

Why are there no major security problems for Mac OS and for Linux? I'll give you two possibilities: 1) the users of both have a massive egos over the supposed superiority of their OS that wards away all the baddies, and 2) option 1 is generally compensating for lack of market share of their OS.

And I say that in good fun, because I'm currently on a Mac system and I also have systems running Linux and Windows XP. But the correct answer is market share. Even though we like to say that Windows is the majority, we should be correcting ourselves to say that Windows XP is the majority. Mac and Linux are inherently more secure than Windows XP, but they aren't infallible. Similarly, Microsoft has made a step in the right direction by designing Vista with security as a higher priority, but it isn't immune to anything and everything. Time will tell just how secure Windows Vista really is. Given that Microsoft has a terrible security record and that a number of patches have already been delivered to Vista, I'll call you an optimist for believing that Vista's security really is anything more than smoke and mirrors. If I remember correctly (and this could be incorrect, so double check it), its market share has just recently (last month) passed the Mac OS X market share. Generally, only the most widely used operating system is targeted. We'll have to see how things develop.

Rupert said,
It's good that Microsoft is actively doing things to keep their security measures in place, you could probably do some nasty things with this tool.

There's nothing "nasty" about this tool. What's "nasty" is Microsoft not allowing users any freedom of choice.

Well, good for MS, let them shoot themselves in the foot again, because this driver signing nonsense is a major reason why so few people use Vista x64.

toadeater said,
What's "nasty" is Microsoft not allowing users any freedom of choice.

"Why, oh why can't I delete kernel32.dll??? I WANNA MY F***ING FREEDOM OF CHOICE!!!111"

This is bound to cheese off a buttload of Vista 64-bit users who pretty much needed a utility like this to load unsigned device drivers. Guess I am glad I stuck with the 32-bit Vista.

Microsoft needs to get all the idiots who cling to their old **** off 32bit only one way to do it since people fear change, with good reason. That is forcibly regardless of justification to the ends. Vista is a stepping stone and always has been.

SimplyPotatoes said,
Microsoft needs to get all the idiots who cling to their old **** off 32bit only one way to do it since people fear change, with good reason. That is forcibly regardless of justification to the ends. Vista is a stepping stone and always has been.

Do you think banning unsigned drivers is going to make more people use Vista x64?

Btw... unless Microsoft's plans suddenly change, Windows 7 is going to come in both 32bit and 64bit.

http://www.computerworld.com/action/articl...ticleId=9027559

rdmiller said,
"Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard."

???

I believe it has said that for a while... it is to stop spam bots and trolls that come in and post just to inflame people

Pointless. This doesn't keep VXers out of kernelspace, it just means they have to pay to get there. How carefully are applications for these certificates considered? Judging by this software getting one in the first place, not sufficiently.

well maye the company wasn't completely truthful about what it would use the certificate for when it applied for it. and because you have to pay to access the kernel it means you can be tracked and stopped if you try to breach the security of the os.

Havin_it said,
Pointless. This doesn't keep VXers out of kernelspace, it just means they have to pay to get there. How carefully are applications for these certificates considered? Judging by this software getting one in the first place, not sufficiently.

Well, the applications for these certificate types are processed by the CAs (Verisign, Thawte, Geotrust, etc) not by Microsoft. No part of the process entails providing them details of what you intend to use the certificate for. However, the deterrent to making dangerous software and signing it is the amount of personal details and level of identity verification that occurs prior to issuing - it's highly probable that, should you code sign a virus, the issuing CA would provide your name, address, telephone number, and company details to law enforcement (and they DO have all those details).

Aside from the "should Microsoft let *some* people write software to do this, but completely barr others from doing it" argument, isn't it within their rights to block a deliberate attempt to circumvent a security feature built into their operating system?

Fine by me. If applications like this are allowed to exist, driver makers will stop going for proper signing and all of that and just start pushing out this tool because it's easier to hack things together and push out crappy drivers. Now a days, driver quality is extremely low and so enforcing some sort of standards is fine with me.

The abuse potential for a tool like this is just too great though. If you really want to install unsigned drivers, there are other ways to do it explicitly.

I don't see how this would increase the quality of drivers being written. From what I understand, oversight is being given to ensure that only legitimate entities are being given access - there is no oversight to make sure that their code works properly.

Ledgem said,
I don't see how this would increase the quality of drivers being written. From what I understand, oversight is being given to ensure that only legitimate entities are being given access - there is no oversight to make sure that their code works properly.

Yeah there is. For a driver to get loaded into Kernel Mode, the driver must be signed with a WHQL certificate from the Windows Hardware Quality Labs. To obtain this, your driver is supposed to work perfectly (they defeat the purpose by allowing self-testing though)

Look at the real reason for this. It is only wit 64-bit Windows that you can play true HD movies and other content because only 64-bit Windows provides a protected path from the medium through the display (using HDMI or DisplayPort). If you could load unsigned drivers then you could circumvent this and play (and presumably copy) high definition movies or other content. I suspect in the end that this tool wasn't as much of a threat to Microsoft or end users as it was Hollywood and other content owners looking to protect their content as it's played using Windows.

I use XP SP2 32bit and I can play and copy HD movies just fine. I could play and copy HD content when I was using Vista 32bit as well.

You can load unsigned drivers by pressing F8 (though this is annoying), if Microsoft was really trying to suck up to the MPAA then they wouldn't leave such a glaring omission to their driver signing protection.

I'm not saying you can't play HD content. If memory serves, Microsoft does not allow full resolution HD content on 32-bit Vista -- only 64-bit Vista (at least this was a decision early -- not certain that it made it all the way to the finished product). Are you sure you're getting full 1080p from your HD movies?

Commenting is disabled on this article.