Microsoft becoming 'software police'

Discussion in 'DSL & Info Tech News' started by dyoddyowel, Aug 8, 2007.

  1. dyoddyowel

    dyoddyowel Member

    Microsoft becoming 'software police' say users
    It had a free utility's digital certificate revoked

    August 06, 2007 (Computerworld) -- Microsoft Corp. last week slammed the door on a free utility out of Australia that outflanked one of the company's touted security features in Windows Vista, by having the program's digital certificate revoked.

    Users took Microsoft to task for the move, noting the slippery slope the company was walking on, with some blasting the vendor for playing "software police."

    Linchpin Labs' Atsiv utility, released July 20, used a signed driver to load other, unsigned code into the Vista kernel, according to U.S.-based Symantec Corp. researcher Ollie Whitehouse. Atsiv, said Whitehouse, thus let users circumvent a feature of the 64-bit version of Vista that allows only digitally signed code to be loaded into the operating system's kernel. The digital signing requirement is one way Vista tries to stymie hackers from infiltrating the kernel -- the heart of the operating system -- with, among other things, rootkit cloaking technologies that hide malware from security software.

    "This is rootkit behavior," said Whitehouse last Monday.

    Atsiv's developers, on the other hand, have touted the utility as a tool useful for loading unsigned but legitimate drivers into 64-bit Vista.

    Friday, Microsoft announced that it had worked with VeriSign Inc., the company that provided the certificate to Linchpin Labs, to have the code signing key revoked, said Scott Field, a Windows security architect, in a posting to the Vista security team's blog. "VeriSign has revoked the code signing key used to sign the Atsiv kernel driver [as of Aug. 2], which means the code signing key will no longer be considered valid," Field said.

    Microsoft also included a detection and removal signature for Atsiv in the Wednesday update to Windows Defender, the antispyware software bundled with both the 32- and 64-bit editions of Vista.

    Field downplayed the kernel signing's significance in the overall Vista security landscape. "[Kernel-mode code signing] is not a security boundary; rather, it is only one aspect of a defense-in-depth approach to security," Field said. "KMCS does not provide a means to determine the 'intent' of the signed code (i.e., good or bad). A primary benefit of KMCS is that it provides a means to identify the author of a piece of code."

    In that regard, Field said, KMCS "worked as expected" in the Atsiv case, even though the utility was able to get around the feature.

    Comments pegged to Field's post were mixed but leaned heavily toward criticizing Microsoft for revoking the Atsiv certificate.

    "I'm uncomfortable with the idea of [certification authority] becoming the software police," said one user, John. "Atsiv may be an easy case, but what precedent does this set when less cut-and-dried cases arise? Working around limitations in an operating system is not necessarily a bad thing."

    "I am also concerned about the implications of Microsoft's ability to have the signing certificate revoked," said Ben, another user commenting on Field's posting. "It appears that Microsoft ... is using [code signing] to ensure that programs do not contravene Microsoft's self-created policies. This is an interesting case of Microsoft not only being self-appointed police, but self-appointed policy makers."

    Michael's long comment started: "This is a very interesting thing Microsoft have [sic] done. The Microsoft logic seems to revolve around Atsiv being 'undesirable' or misrepresenting itself in some fashion. There have never been claims of deception in obtaining the signing certificate, or that the Atsiv tool does anything other than what it claims.

    "To describe this tool as 'undesirable' stretches that word beyond reason. Atsiv has no self-propagating functionality. It doesn't do any privilege escalation or modify any system functions or memory or anything like that. It uses (I assume) documented windows APIs to provide functionality that some people clearly desire. You need to be an administrator to run it. You will see the [User Account Control] dialog, if enabled. If people choose to download and run it on their own computers, then it is providing 'desirable' functionality, by definition."

    Linchpin Labs did not reply to a request for comment, nor has it indicated whether it will seek a replacement certificate to allow Atsiv to work as advertised.

    Gregg Keizer

Share This Page