Security Watch

Vista and Blue Pill: Debunking the Myth

Blue Pill is easier to swallow now that the trick has been more closely scrutinized. Plus, a look at what's on your hard drives that you thought you erased.

A security researcher named Joanna Rutkowska claimed to have been able to bypass Windows Vista's default security to prevent unsigned code from running. To do this, she used malware that she created and called "Blue Pill." The malware takes advantage of a feature of newer AMD processors to move the entire running OS into virtual memory. She did this by logging on with administrative privileges, which is not the default configuration. Reverting back to a lesser privileged user left her malware present, and allowed her to run unsigned code. This, she claimed, would be undetectable. In an interview with, one of the leading virtualization engineers dismissed Rutkowska's claims. According to Anthony Liguori, "I don't feel there is any new risk here at all."

There are a couple of issues that need to be addressed in this story. First, Rutkowska claimed to have found a flaw in Vista or, more importantly, been able to run malware on Vista. Not true. As an administrator, Rutkowska should be able to run any code she chooses, signed or not; Vista doesn't attempt to prevent administrators from such actions. Users, on the other hand, should not be able to run code such as Blue Pill, and in fact Blue Pill would not run if the user didn't have administrator privileges. So, no flaw in Vista was discovered, although Microsoft has said that it's investigating Blue Pill to see if there's something it should add to or modify in Vista. Liguori suggests that Microsoft shouldn't bother wasting any time on this.

Next is the issue of moving the OS into a VM, which is a feature of the AMD processor and should be possible. Think of it as putting a laptop into hibernation mode; nothing new there.

Finally there's the issue as to whether or not such actions are "detectable." One of Rutkowska's biggest claims is that Blue Pill and malware like it will be "completely undetectable." Liguori flat out disputes whether that is even possible. It boils down to whether it's possible to convince the OS, which has been placed in a VM, that it is not. The complexity of the malware would have to be beyond that of fully developed VM managers, such as XEN or VMware, as both are detectable using the methods Liguori explains.

The bottom line: While Blue Pill may have been a darling at Black Hat and Rutkowska has certainly had her 15 minutes of fame, the risk to users of Vista, AMD Processors or PCs in general has not changed nor is it likely to because of Blue Pill.

It should be pointed out, however, that Rutkowska has produced a number of thought-provoking white papers on how to hide things, but none of which have been realized in real-world scenarios.

Disk Drive Researchers Turn Up Disturbing Data
For a study, researchers purchased and analyzed some 300 used hard disks to see whether their former owners had adequately wiped them prior to getting rid of them. Almost half -- 49 percent -- did not, and several contained information, including kiddie porn, that could be used for blackmail.

On the down side, it's unfortunately no surprise. Far too many people don't realize that the data on their drive could be accessed by others, let alone know how to properly erase the drive to ensure it cannot be accessed. On the up side, the study shows that the number of properly wiped drives had doubled since a similar study last year.

If there's anything to be gleaned by administrators from such an effort, it's that you should be very careful about to whom you contract out the erasure of sensitive information from your hard drives. There may be no way to verify that such a contract is being handled adequately, thus ensuring that you won't find yourself in the news as a result of a data leak. Will it really be enough to say, "Well, hey, it's not our fault, we hired so and so to do that!"?

Centrelink: "Zero tolerance on privacy breaches"
The Australian government's welfare agency, known as Centrelink, has demonstrated its "zero tolerance" policy. After discovering more than 600 cases of inappropriate data access by employees, they dismissed 19 employees. Ninety-two others resigned and 300 were fined or received salary reductions. The remaining 189 were reprimanded, demoted or warned. Five of the cases involved data being altered and those have been turned over to the Australian Federal Police.

It's excellent to see an employer using such a range of actions to deal with a policy violation. Of course if you are Australian, you may be left wondering why any of these employees are still employed. However, we've said before that just as there are differing levels of violations, so too should there be differing levels of action by employers.

Centrelink is using software to monitor employee access to its 6 million customer records while performing more than 80 million transactions per week.

Departing Workers' Copying Not Criminal
A recent ruling by the U.S. District Court for the Middle District of Florida finds that an employee's intent cannot be used to convict them of exceeding authorized access as it is defined under the Computer Fraud and Abuse Act (CFAA). Previous rulings had found that employees were guilty of that offense when, say, they copied all of their employer's customer records just before leaving for a rival company.

The impact of this ruling may be that companies need to improve the wording of their employee policies regarding the handling of such data. The judge here ruled that the term cannot apply to someone who, at the time of the data access, was authorized to access said data. Previously, that notion was ignored when it could be shown that the employee was acting with the intent of using the data for unauthorized purposes, such as with their next employer.

While examining your policies, consider being more granular with your permissions. For example, an employee may need access to customer records. Do you grant permission for them to access all customer records, or only their customer records? The difference could be considerable, especially in a case where the data has been copied and taken to a rival.

It is interesting to note that access control has become, over the past 10 years, less and less granular -- this, despite the fact that the tools offering the granularity have offered more, not less. The Cybertrust RIT believes it could be due to the fact that increased granularity requires increased knowledge, time to implement and effort to audit. In other words, as security tools have evolved to provide more choices in how and what is secured, security may be dropping due to the complexity of implementing their features.

About the Author

Russ Cooper is a senior information security analyst with Verizon Business, Inc. He's also founder and editor of NTBugtraq,, one of the industry's most influential mailing lists dedicated to Microsoft security. One of the world's most-recognized security experts, he's often quoted by major media outlets on security issues.

comments powered by Disqus

SharePoint Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.