Security UPDATE--Defeating Vista Security with Drivers--April 18, 2007


Managing Your Web Presence

The Future of Business Continuity

Free Brief: Personal HP Workstations = Higher ROI?



IN FOCUS: Defeating Vista Security with Drivers


- OEM BIOS Emulator Bypasses Vista Activation

- Grisoft Offers Free Antirootkit Tool

- New Storm Worm Outbreak Spreading Fast

- Recent Security Vulnerabilities


- Security Matters Blog: 37 Patches on the Way from Oracle

- FAQ: Microsoft SCE 2007

- From the Forum: Vote for Your Favorite IPS and Two-Factor Authentication Solutions

- Tell Us About the Products You Love!

- Share Your Security Tips


- Encrypt Email According to Policy




=== SPONSOR: Verio


Managing Your Web Presence

Application pooling may achieve server density but it can put your code at risk. Download this free white paper and find out how to ensure a reliable, secure and scalable Windows-based hosting environment.

=== IN FOCUS: Defeating Vista Security with Drivers


by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

A couple of interesting developments came to light in the last couple of weeks, both of which affect Windows Vista security to some extent. The first issue centers around Windows Genuine Advantage (WGA). As you'll learn when you read the related news story, "OEM BIOS Emulator Bypasses Vista Activation," below, code has been released that can fool Vista into thinking that it's a genuine copy when it's not. That feat is accomplished by using a third-party driver.

While on the surface this doesn't seem like a security problem, it actually is. First of all, imagine some small-to-midsized business (SMB) trying to save money on a migration to Vista. The company might shop around to try to find the best price possible on a new software and hardware combination. The company ends up buying from someone who's actually selling pirated copies of Vista that have a driver installed to fool WGA.

Such an unscrupulous seller might just as easily have installed anything on the machines, including botnets, rootkits, and keyloggers that could be undetectable by existing security solutions. These processes could be undetectable because a driver can be used to protect a process so that for the most part the process can't be inspected by another process. And if the process's memory space can't be inspected, then any malware inside it can't be detected.

Two weeks ago, Alex Ionescu released a proof-of-concept tool called D-Pin Purr 1.0. The tool, which works only on 32-bit versions of Vista, uses a driver that can protect or unprotect a process. Ionescu wrote, "It is trivial to make a process protected or unprotected by bypassing all the code integrity checks and sandbox in which protected processes are supposed to run." So basically, Ionescu discovered a way to bypass a major security feature of Windows Vista--one that many vendors have been complaining about because it prevents their tools from fully working to some extent or other.

If the tool really works as intended (and while I haven't tested it, I suspect that it does), then certainly "bad guys" can create a similar tool to defend their botnet, rootkit, and keylogger code.

Sure, elevated privileges might be required to install drivers into Vista, which seems to imply that the potential impact is limited. However, as history clearly shows, intruders routinely combine vulnerabilities and mix in social engineering, so they might eventually be able to get a driver installed.

You can read more about Ionescu's tool in his blog at the URL below, where he also provides a download link for D-Pin Purr.

=== SPONSOR: Neverfail


The Future of Business Continuity

Having customers depend on your IT services in order to communicate, purchase, or manage orders is great for your business. But, what happens when your applications or Web sites are suddenly unavailable? Download this free white paper and learn how to eliminate application downtime disruptions of any cause and ensure the continuity of your business.



OEM BIOS Emulator Bypasses Vista Activation

While there are known methods of bypassing Windows Vista activation requirements, a new technique turns out to be the easiest and most effective so far in defeating Microsoft's Windows Genuine Advantage (WGA) technology.

Grisoft Offers Free Antirootkit Tool

Grisoft, widely known for its AVG brand of antivirus solutions, announced that it's now offering a free antirootkit tool, AVG Anti-Rootkit, for Windows 2000 and Windows XP systems.

New Storm Worm Outbreak Spreading Fast

Several companies, including Postini, iDefense Labs, and the SANS Institute, are tracking a new outbreak of a variant of the Storm worm that's producing heavier than normal detection rates around the Internet.

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at



Free Brief: Personal HP Workstations = Higher ROI?

Discover why financial services executives get a LOT more out of their IT investments by investing in HP Personal Workstation Technology. Quickly learn how workstations ensure accuracy and security while driving down short and long term operating costs. This quick-read guide is a must read today.



SECURITY MATTERS BLOG: 37 Patches on the Way from Oracle

by Mark Joseph Edwards,

As part of Oracle's quarterly critical patch update, the company will release 37 patches next week. So get ready!

FAQ: Microsoft SCE 2007

by John Savill,

Q: What is System Center Essentials (SCE) 2007?

Find the answer at

FROM THE FORUM: Vote for Your Favorite IPS and Two-Factor Authentication Solutions

Tell us which security products are working for you. It's not too late to vote for the best host-based intrusion prevention system

and the best two-factor authentication solution


What products are you using that save you time or make your workload a little lighter? What hot product discoveries have you made that other IT pros need to know about? Let the world know about your experiences in Windows IT Pro's monthly What's Hot department. If we publish your story in What's Hot, we'll send you a Best Buy gift card! Send information about your favorite product and how it has helped you to [email protected]


Share your security-related tips, comments, or problems and solutions in Security Pro VIP's Reader to Reader column. Email your contributions to [email protected] If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.



by Renee Munshi, [email protected]

Encrypt Email According to Policy

Proofpoint announced a new version of Proofpoint Secure Messaging, its policy-driven email encryption solution. The new version uses Voltage Security's Voltage Identity-Based Encryption (IBE) technology to automatically and dynamically encrypt outbound email based on customizable policies. The updated Proofpoint Secure Messaging module will be available in June 2007 as an optional component for the Proofpoint Messaging Security Gateway appliance and virtual appliance. Proofpoint Secure Messaging works with the Proofpoint Regulatory Compliance and Proofpoint Digital Asset Security content-filtering modules on the appliances. Proofpoint Secure Messaging pricing starts at $20,000. For more information, go to



For more security-related resources, visit

Gain control over the growing amount of file data in your enterprise. Learn how File Area Networks (FANs) can help you centralize file consolidation, migration, replication, and failover. Download this eBook and start streamlining your file management projects today!

One common set of controls can help you manage compliance across multiple regulations and standards. Download this free IDC white paper and find out how to map controls to the appropriate regulations and save time and expense in demonstrating compliance.

You can't prevent nature from throwing floods, hurricanes, and earthquakes at your IT systems. You can't always control what people might do to your systems, either. Download this free eBook and learn to protect your business in the face of both natural and human-made disasters.



Built-in SQL Server data protection features aren't enough. Learn to use an automated data protection solution that provides 24x7 availability to meet today's critical business demands.



Introducing a Unique Security Resource

Security Pro VIP is an online information center that delivers new articles every week on topics such as perimeter security, authentication, and system patches. Subscribers also receive tips, cautionary advice, direct access to our editors, and a host of other benefits! Order now at an exclusive charter rate and save up to $50!

Grab Your Share of the Spotlight!

Nominate yourself or a peer to become IT Pro of the Month. This is your chance to get the recognition you deserve! Winners will receive over $600 in IT resources and be featured in Windows IT Pro. It's easy to enter--we're accepting June nominations now, but only for a limited time! Submit your nomination today:


Security UDPATE is brought to you by the Windows IT Pro Web site's Security page (first URL below) and Security Pro VIP (second URL below).

Subscribe to Security UPDATE at

Unsubscribe by clicking

Be sure to add [email protected] to your antispam software's list of allowed senders.

To contact us:

About Security UPDATE content -- [email protected]

About technical questions --

About your product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.

221 East 29th Street, Loveland, CO 80538

Attention: Customer Service Department

Copyright 2007, Penton Media, Inc. All rights reserved.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.