New Windows 7 hack purports to be "unfixable"
By Donald Melanson 
posted April 23rd 2009 7:02PM
posted April 23rd 2009 7:02PM
A hack that's "unfixable" is a pretty bold claim, but that's just what researchers Vipin Kumar and Nitin Kumar have announced at the now-happening Hack in the Box security conference, and they seem ready to back it up. Apparently, they've devised a means to gain control of a Windows 7 computer during the boot up process though the use of a tiny 3KB program dubbed VBootkit 2.0 (a follow-up to a similar Vista hack), which loads itself into the system memory and bypasses the hard drive altogether, making it extremely difficult to detect. Once loaded, an ill-intentioned individual could potentially change passwords, access protected files, or do just about anything else and then leave without a trace. The one fairly big drawback to the hack, however, and upside for most users, is that it can't be performed remotely, so it'll likely only be a significant concern for businesses or other folks using computers in public places -- unless, of course, Microsoft finds a way to fix the "unfixable."
[Via Electronista]
[Via Electronista]
You == STUPID.
Back to school newb.
it amuses me that after all the money that goes into research/ IT/ soft development/ that windows still has these problems, that's what happens when you subcontract your work to Arvato Digital Services in Weaverville NC and expect a bunch of losers who you pay 9 bucks an hour to do a professional job writing your software. typical capitalistic move on MS part, but I promise you they will deny such a claim.
Wouldn't locking down the BIOS to only boot from the hard drive prevent this ?
If I'm reading the PDF correctly, it requires booting from a CD / USB Drive that then boots the Hard Drive.
Sounds like a boon to people who have forgotten their passwords.
why shud MS be fixing this if it boots up before the hard drive is even detected? surely it's nothing to do with windows??
What is this? Access the physical machine and install VNC as a service than complain about my pc is accessible anywhere! This is the funnies hack I have ever seen. Off course it s unfixable, this is a installation not a hack.
> "Normally I'd agree. But in this case it mentions that "protected" files can become accessible. If they mean encrypted files this is a big flaw in Windows security. If I'm not mistaken encryption should use the user's MD5 or likewise password as the key to unlock the files. If just changing the password file gives you access to encrypted documents on Windows 7 that's a big flaw."
Explain to me this, how would you suggest that the OS protect against this attack? The code loads prior to the OS ever starting, and then can modify OS routines in memory prior to their execution. Ergo, even if the OS had integrity checks (WIndows certainly does) they can be modified prior to execution. The nature of this exploit is not to simply alter the password file (it in fact does not alter any file on disk), nor does doing so grant access to encrypted files (incidentally, encryption keys are stored in the protected data store governed by DPAPI, not the NTLM hashes that password are stored in- unlike linux windows actually has a proper protected data store). The reason it can read protected files encrypted by the OS is because the OS can read said files (that is the design- if you want encrypted files not inherently readable by the OS use a non-OS mechanism to govern encryption), and the exploit controls the OS code that is loaded in memory. Thus, since the exploit essentially controls the OS, and the OS can read the files, the files can be read by the exploit code. This is not a problem the OS can solve. It must be solved by integrity controls in the boot process, prior to the OS code loading.
Not only can it not be deployed remotely, it cannot be deployed locally if you can't get administrator access or supply your own boot volume.
A hack that has to be physically installed to the computer is not all that much of a hack. I mean, they could just take the hard drive of the computer too ... I mean, that'd be a hack that's impossible for Microsoft to prevent.
The reality is you can do the same thing with a Windows Vista DVD. To test it, I booted to a Vista DVD at work once and using the Windows Recovery Environment could access a user's files easily. Even if the system had XP. This "vulnerablity" ihas been around since Windows 2000 and in reality, it is hardly one due to the requirement of having to physically stand or sit directly in front of the machine you wish to compromise.
I for one would like to post my dissapointment in Engadget for posting this article in this manner. All you're doing is driving the scare-hype machine further and faster. The reality of how this "hack" will affect most end users (ie: your readers) should lead this article, not a headline that allows those with less Windows knowledge to think that Windows 7 is permanently broken out of the box.
For shame Engadget, for shame.
it's like saying "i've created the most powerful weapon ever!!! but you've to paste this targetting beacon on the enemy first."
um ok, cant be done remotely. so how bout my new UNFIXABLE HACK WHICH WORKS ON ALL MACS. Here it is: steal your whole computer.
exactly. stfu and stop spreading fud.
I highly doubt this is unfixable. Contrary of what you read in the comments, Microsoft has some brilliant people working on fixing problems like this. And the fact that they just explained how the hack works step by step over the internets doesn't help the hackers either.
Haha, brilliant people, yeah ok, they fix things so well, last update for my windows fixed the SAME issue they 'fixed' 4 times now, and issues that have been in windows since w95 (or earlier), brilliant.
Mind you they 'fixed' people noticing all the fixes with their automatic updates, and their triple link to finally see details of fixes on manual updates, their slogan is "what you don't know can't embarrass us"
This is not really a W7 problem at all, if you can subvert the boot process, then you can takeover any operating system. This particular version maybe Windows specific, but in principle it could be written to subvert any operating system.
white castle can fix anything! kumar is haroldi's biatch!
Wait. You mean if I have physical access to a machine I can pwn it? NO WAY!
I'm sure the media newbs will eat this shit up. And the clueless "security via obscurity" mac dorks.
Here's a similar approach, the only difference probably that it's downloadable :D.
Kon-boot: http://piotrbania.com/all/kon-boot/
Wow, they said the same thing about Vista- if you unscramble the bull you get "If we had control of the computer we could do very nasty things to it"...
*slow clap*
weally nowww
Do the impossible, fix the unfixable-
ROW ROW FIGHT THE POWAH.
They should change the name of the conference to d*ck in the box.
It can't be performed remotely!? What kind of hack is that!? That's like saying a hammer is an unstoppable hack, "but it can't be performed remotely"