Aussies rage against Vista security feature

An Australian security company whose free utility Microsoft has blocked lashes out at the American software giant.

Linchpin Labs, a small Australian security company whose free utility Microsoft has blocked from loading unsigned drivers into Windows Vista, has lashed out at the American giant. Microsoft, says Linchpin, should set its own security house in order before it accuses other developers of turning their legitimate software into threats.

Earlier this month, the Sydney, Australia-based Linchpin released Atsiv, a program that uses a signed driver to load other, unsigned drivers into the 64-bit Vista kernel, behaviour that Microsoft said late last week evades a Vista security feature. In 64-bit Vista, only drivers accompanied by a valid digital certificate may load into the kernel; the provision is meant to stymie hackers from infiltrating the kernel with, among other things, malware-cloaking rootkits. Late last week, working with VeriSign, which had issued the Atsiv certificate, Microsoft got Atsiv's signing key revoked, blocking the utility from loading its driver.

Calling the certificate-bearing utility a "potential as well as actual security threat," Microsoft said it also recently added signatures to its antispyware program Windows Defender to detect, block and remove Atsiv's current driver.

On Monday, in response to emailed queries by Computerworld, Linchpin defended its software as legitimate. "[Atsiv] assists users of Microsoft Vista that are currently unable to use legacy hardware without signed drivers, and casual developers (such as hobbyists) that are not able to use a company's signing certificate," the company said. "With Atsiv, consumers could once again make use of their legacy hardware, actually increasing the user experience of Microsoft Windows Vista."

Even so, it knew when it was beat. "Linchpin Labs will not be acquiring a new certificate to support Atsiv, as Microsoft would undoubtedly push to revoke it as well," the statement read.

"[But] Atsiv does not threaten the user, nor does it provide anonymity to the client drivers that it is used to load," the company said before launching into a serious of rhetorical questions. "What is Microsoft doing to protect the consumer from actual malicious software for which Microsoft does not have a signature? What about signed drivers that contain exploitable vulnerabilities? What about drivers signed and supported by the malware industry?"

As have users reacting to the blog posting in which Windows security architect Scott Field announced the revocation of Atsiv's certificate, Linchpin cast Microsoft's move as the first step on a slippery slope. "The fact [that] Microsoft has taken it upon itself to revoke the Atsiv certificate based on its own definition for malware sets a concerning precedent, one that should not be ignored," Linchpin said. "What if anti-SRE [software reverse engineering] software from company X incorporates a stealth service to help protect products? What if software from company Z implements a system for injecting and running Linux drivers in the Windows kernel?"

Linchpin also unleashed the "A" word — antitrust. "The long-term impact of this decision by Microsoft will be interesting, as denial-of-service of legitimate software, justified by an arbitrary definition of malware and subjectively enforced, raises the question of antitrust violations."

Others expressed similar thoughts in reaction to Field's blog. "I don't like the idea that MS [Microsoft] can be the sole arbiter of what I can and can't run on my machine," wrote someone identified only as Peter. "What happens when a vendor releases a driver for a piece of software that competes with a MS product? I really don't like where MS is going on this."

Several users also commenting to Field's post, however, noted that the certificate revocation doesn't necessarily preclude Atsiv use, since one can load unsigned code by pressing F8 at boot and choosing "Disable Driver Signature Enforcement."

But that raised more questions. "While this would appear to be a legitimate method of loading an otherwise unsigned driver because it is using Microsoft documented methods, I wonder how this differs greatly from what Atsiv set out to do," said a user named Ben. "Atsiv used Microsoft-documented methods."

Linchpin's last word on the brouhaha was a final shot at Microsoft. "[We] would like to suggest that Microsoft spend less time using debatable policy as a security mechanism, and spend more time actually tightening its operating systems," the company said. "For the casual reader, we encourage awareness of the difference between solid security and a powerful marketing campaign."

Join the newsletter!

Error: Please check your email address.

Tags MicrosoftSecurity IDatsiv

Show Comments

Market Place

[]