Imagine how popular Windows 7 will be, because so many people are using the ‘leaked’ releases and spreading the word, along with the disenchanted users of Vista, and the poor sheep that have been scared by all the hubbub over the end of free support of XP. Imagine now, after all the chest thumping that Microsoft has done about improved security, that already there is a hack that allows complete takeover of the Windows 7 machine, and the authors of it claim that there is no way to fix the flaw, as it is too deep in the bowels of the operating system.

Well, according to a story on NetworkWorld, you don’t have to have an imagination at all, because it is a Microsoft nightmare come true.

Researchers show how to take control of Windows 7

Proof-of-concept code takes control of the computer during the boot process

Security researchers demonstrated how to take control of a computer running Microsoft’s upcoming Windows 7 operating system at the Hack In The Box Security Conference (HITB) in Dubai on Thursday.

Researchers Vipin Kumar and Nitin Kumar used proof-of-concept code they developed, called VBootkit 2.0, to take control of a Windows 7 virtual machine while it was booting up. They demonstrated how the software works at the conference.

“There’s no fix for this. It cannot be fixed. It’s a design problem,” Vipin Kumar said, explaining the software exploits the Windows 7 assumption that the boot process is safe from attack.

While VBootkit 2.0 shows how an attacker can take control of a Windows 7 computer, it’s not necessarily a serious threat. For the attack to work, an attacker must have physical access to the victim’s computer. The attack can not be done remotely.

VBootkit 2.0, which is just 3KB in size, allows an attacker to take control of the computer by making changes to Windows 7 files that are loaded into the system memory during the boot process. Since no files are changed on the hard disk, VBootkit 2.0 is very difficult to detect, he said.

However, when the victim’s computer is rebooted, VBootkit 2.0 will lose its hold over the computer as data contained in system memory will be lost.

VBootkit 2.0 is a follow-up to earlier work that Kumar and Kumar have done on vulnerabilities contained in the Windows boot process. In 2007, Kumar and Kumar demonstrated an earlier version of VBootkit for Windows Vista at the Black Hat Europe conference.

The latest version of VBootkit includes the ability to remotely control the victim’s computer. In addition, the software allows an attacker to increase their user privileges to system level, the highest possible level. The software can also able remove a user’s password, giving an attacker access to all of their files. Afterwards, VBootkit 2.0 restores the original password, ensuring that the attack will go undetected.

Very interesting. Is this a mountain from a molehill? Or is it something to genuinely be worried about? For the home user, almost definitely not, because the physical aspect of it is such that the chances of a miscreant having physical access to your machine, with your knowledge, is small.

On the other hand, businesses, that have to constantly worry about disgruntled employees, among other things, might well want to reconsider their jump to Windows 7 until this sort of problem is mitigated fully.

I’m reminded of the original braggadocio of Microsoft, with Windows NT, and the assessed C2 security rating. The only problem was that the machine had to have no floppy drive access (in those days, floppy was practically the only way to locally deal with transfer of information), effectively making a really silly proposition for the prospective users of Windows NT.

I wonder if this will put a greater span of time between the May 5 Release Candidate, and the General Release of Windows 7. That will be the test to see how critical the problem is, and how much Microsoft really cares about its claims of improved security.

§

I hate to advocate drugs, alcohol, violence, or insanity to anyone, but they’ve always worked for me. •  Hunter S. Thompson

photo_1230743892

Digg This