Driver signing is a failure for Vista

Home

WinFind

Reviews

Polls

Contact

Past issues

Upgrade

Prefs

Unsubscribe

Windows Secrets Newsletter • Issue 107 • 2007-05-10 • Circulation: over 270,000

Contents
TOP STORY: Driver signing is a failure for Vista
KNOWN ISSUES: Readers' revelations on DEP and software discounts
WACKY WEB WEEK: The world's first IT professional
PC TUNE-UP: How to spot your enemies on the Internet
OVER THE HORIZON: Dangerous .doc files and phishing attacks
PATCH WATCH: Critical patches for Exchange and your workstations
YOUR SUBSCRIPTION: How to change your address or unsubscribe

For links to every subtopic in this issue, scroll down to the Index

ADS

Forget Vista, make your XP system faster

Forget Vista, make your XP system faster
PC Pitstop's Optimize Scan 1.5 is easy-to-use software that will automatically diagnose problems with your PC and give you a custom report detailing issues that are hurting your PC's performance. Run this free scan now!
www.pcpitstop.com

Get free Cisco training (and be famous)

Get free Cisco training (and be famous)
Train Signal wants to help you get your Cisco CCNA. Here's how it works: We cover all your expenses (CCNA training videos, hardware, and exam fee) and you share your learning experience by posting to the Train Signal training blog. See more details!
www.TrainSignalTraining.com

Win Doc Pro - free PC health check

Win Doc Pro — free PC health check
Are you tired of your computer crashing, slowing down, or freezing when you least expect it? Download our free PC health check and instantly solve your PC problems with an advanced PC Registry cleaner. Breathe life into your PC today!
www.WinDocPro.com

See your ad here

TOP STORY

Driver signing is a failure for Vista

Scott Dunn

By Scott Dunn

To back up its claims that Windows Vista is "the safest version of Windows ever," Microsoft requires developers to use digital signatures on all 64-bit drivers for Vista.

This requirement, far from making the new operating system safer, actually does little to stop hackers but may be partially responsible for a shortage of drivers that are needed by Vista users.

Why digital signing matters to you

To create a driver for the 64-bit version of Vista, a software developer first obtains a Class 3 software-publishing certificate from an approved Microsoft certificate authority (such as VeriSign). That certificate is then used to digitally "sign" (apply identifying code) to the product. The certifying authority is supposed to require identification and do the necessary research to make sure the driver comes from a legitimate applicant.

Drivers often need to operate at what is called the kernel level — the very core of the operating system. The privileged nature of the kernel means that it needs special protection. Any compromise to the kernel can potentially bring down the entire system. Consequently, Microsoft is anxious to protect the kernel, especially since "rootkits" can use drivers and kernel-level software to hide from the operating system.

There's another reason Microsoft is anxious to secure this key part of Vista, however. The company is promoting Digital Rights Management (DRM), which is used by copyright holders to restrict the use of content. Because Microsoft wants Vista positioned as a platform that is safe for protected content, it needs its operating system to stop hacker code from intercepting media streams. Software could, for example, redirect music from a PC's sound card and send it to the hard disk instead.

How driver signing works

Digital signing seeks to make visible the source of kernel-mode software. If the 64-bit version of Vista determines that a 64-bit driver doesn't have a signature from an accepted authority, the operating system will prevent it from loading.

But, of course, once a certificate is issued, it's somewhat out of the hands of the trusted certificate authority. A vendor with a valid certificate could still produce buggy or malicious code using the certificate, or sell it to someone else who could. More likely, a stolen certificate could be published on the Web and used by hackers to produce their own brand of malware.

In theory, once such a compromise is discovered, Microsoft can revoke the certificate (which, in the case of a hardware driver, would disable all products from the certificate holder). This could be done via a Windows Update that tells Vista to block the signature in question.

The new world order of x64 Vista drivers

Microsoft has long encouraged the digital signing of software. Signed software is intended to let users know the source of a downloaded program. Users can then presumably decide whether it comes from a "trusted" source. Digital signing also lets Microsoft identify the developer of a program that has crashed, assuming users choose to send Microsoft an error report when the fault occurs.

With Windows Vista, Microsoft has taken advances in code-signing technology further, making digital signing a requirement in some cases. Here are just a few of the new driver-signing requirements (or "features," as Microsoft calls them) for Vista:

Only administrators can install unsigned kernel-mode software.
Kernel-mode software must be digitally signed in order to run in the 64-bit versions of Vista. Even administrators can't load unsigned drivers in these versions.
Driver software that loads at boot time must also have a digital signature.
Software involved in the streaming of protected content also requires a digital signature.
Hardware drivers must have digital signatures to pass Microsoft's Windows Logo Program.

To further complicate matters, different (and, in some cases, multiple) kinds of signatures may be required for different occasions. For example, in addition to Kernel-Mode Code Signing (KMCS), developers who want the Microsoft Windows logo on their products may need to submit their products to Microsoft's Windows Hardware Quality Labs (WHQL) to receive a WHQL digital signature.

Digital signing does nothing to stop hackers

Unfortunately, driver signing, as it is currently implemented by Microsoft, appears to be creating more obstacles for developers and customers than it is for hackers. Even before the final beta of Vista was released, the Black Hat Briefings hacking conference demonstrated how easily the driver-signing security could be defeated, as described in an eWeek article.

Vista's release candidates didn't fare much better. Researches at India's NV Labs were able to devise a product called Vbootkit that bypasses driver-signing protection in RC1 and RC2.

Finally, experts at Symantec's Security Response Advanced Threat Research group recently announced in a PDF report that they had succeeded in disabling the new restrictions on 64-bit Vista after just one week of testing.

How digital signing burdens developers

If driver signing hasn't been an impediment to serious hackers, it has been a roadblock for legitimate developers of Vista drivers. Obtaining the necessary certificate for digital signing reportedly costs US$500 per year (less if a developer signs a multi-year agreement). Once obtained, the certificate has to be kept secure, since a stolen and published certificate could be used by anyone to sign a driver.

Then there are the technical hurdles, such as those needed to meet Microsoft's WHQL signing requirements. In a recent analysis of Windows' content protection schemes, Peter Gutmann, researcher at the University of Auckland's Department of Computer Science, writes, "The vast majority of drivers running on PCs today aren't signed, not so much because the developers couldn't be bothered, but because the WHQL process that produces the signed drivers is so slow that they're obsolete by the time they've been approved by Microsoft (and even some of the WHQL-certified ones are still pretty flaky)."

Evidence of this situation isn't hard to find. Complaints about the lack of sound, mouse, and video drivers for Vista — months after its Jan. 30 consumer release — are rife, including an APC Magazine article by James Bannan. One angry user, consultant Dan Goldman, has created a Web site advocating a class-action lawsuit against Nvidia and some of its partners for video drivers that claimed to be "Vista Ready Certified" and "Designed for Windows Vista."

Similarly, the Techarp Web site reports that ATI shipped its Radeon X1950 GT graphics card with a "Windows Vista Certified" label on the box, despite the fact that it contained no Vista driver at all. The release notes admit that fact, in apparent contradiction to the box label.

Microsoft can do better than this

Microsoft cannot expect widespread adoption of its new operating system if users cannot depend on the availability of drivers to support the most popular hardware configurations. Nor will customers feel safe with Vista when experts continue to report how easy it is to poke holes in Microsoft's new defenses. Users need to demand that Microsoft simply do its job better before releasing a new operating system, providing a stronger defense against hackers without placing undue burdens on developers.

Scott Dunn is associate editor of the Windows Secrets Newsletter. He is also a contributing editor of PC World Magazine, where he has written a monthly column since 1992, and co-author of 101 Windows Tips & Tricks (Peachpit) with Jesse Berst and Charles Bermant.

ADS

Backup your data with ZipBackup

Backup your data with ZipBackup
Finally, a backup program that is easy to use. ZipBackup's Wizard makes backups a snap for beginners. Filtering, scheduling, and disk spanning make it a powerful tool for experts. For a limited time, Windows Secrets readers receive 25% off.
www.zipbackup.com

XLNT Idea Nexis 100AP-DVD Disc Publisher

XLNT Idea Nexis 100AP-DVD Disc Publisher
Nexis prints & burns up to 100 CDs or DVDs unattended. Fully integrated design/control software for easy, hands-free operation. XP/Vista compatible. 16x/48x DVD/CD burner. 4800dpi color inkjet printer. Non-proprietary ink cartridges! Just $1,450.
www.CDRecordingSoftware.com

Get your product seen by 270,000 readers

Get your product seen by 270,000 readers
Does your company offer a product or service? Now you can place an ad in the Windows Secrets Newsletter and be seen by more than 270,000 active buyers of PC hardware and software. Bid as much or as little as you like to get the ideal ad placement.
www.WindowsSecrets.com

See your ad here

KNOWN ISSUES

Readers' revelations on DEP and software discounts

By Scott Dunn

Windows' Data Execution Prevention (DEP) feature provides important protection against malicious code, as I described in my May 3 article.

But additional free tools reported by our readers make the feature even more accessible to users of Windows XP.

Finding hardware DEP support in XP

Richard Wilcox has important information that will be of interest to XP users:

"Windows XP SP2 does indeed support hardware DEP, if you have an AMD or Intel processor with this feature, according to a Microsoft Knowledge Base article."

As Richard points out, this feature was first introduced with XP Service Pack 2 (SP2). Note, however, that the Data Execution Prevention tab in SP2's Performance Options dialog box does not report on your hardware's DEP capabilities, the way Vista's dialog box does.

Fortunately, other readers, including Stuartt Cuthill, point out that you can get this information by using a very simple freeware application, Securable, from Gibson Research Corporation.

Detecting DEP settings in XP

A number of readers, including Jeff Kohut, pointed out that XP users can also detect whether DEP is enabled for a particular process by downloading the free Sysinternals utility Process Explorer from Microsoft.

Process Explorer mimics most features of Task Manager and can be set up to display DEP status by choosing View, Select Columns. Check DEP Status on the Process Image tab and click OK.

Windows, not your browser, controls DEP

One reader, identified as "Molotov," also uses Process Explorer and has a number of useful points about DEP:

" 'Hacker programs' are not the only kinds of programs that can utilize the behavior DEP is designed to prevent. Indeed, the technique is so common that Microsoft decided to change the default setting for DEP in XP SP2 from OPTOUT (Enable DEP for all executables, except those specified) to OPTIN (Enable DEP for core Windows system images) because in service pack testing, so many programs were affected by DEP.

"The discussion of browsers and their ability to ignore the DEP settings was interesting to me, as I am running XP SP2 (DEP setting of OPTOUT), and both IE 7 and Firefox run with DEP enabled (On, as reported by Process Explorer for firefox.exe and iexplore.exe) on my system.

"This makes me question the statement, 'XP users apparently have no way to activate DEP for IE 7.' IE 7 (as well as IE 6) respect the operating system's DEP setting. Though I did not try other browsers in these VPC images, I suspect the results would be the same as my findings for IE 6/IE 7 and my experience on my 'real' system. Add-ons for the browsers could certainly have an impact on the experience one has with the DEP setting enabled for the browser process, which may lead one to add the process to the DEP exclusion list.

"The statement, 'IE 7 is not the only program that ignores Windows global DEP settings. Even with DEP turned on globally, Task Manager shows that neither Mozilla Firefox nor Opera support DEP,' is misleading, in the sense that what Task Manager (or Process Explorer) is really showing is that DEP is or is not 'enabled' or 'turned on' for the particular process, not that the process does or doesn't support DEP."

As Molotov points out, it's the hardware and Windows operating system that controls DEP, not individual applications. It now appears that XP does enable DEP for browsers when you choose Turn on DEP for all programs and services except those I select.

However, this is not the case in Vista, which may be excluding browsers for compatibility's sake, despite the user's DEP setting. It remains the case that in Vista, IE7 is the only browser that can have DEP enabled. This requires a setting change in the Internet Properties Control Panel, as described in the May 3 article.

Even more discount programs for MS software

David Hightower points out a great way for home users to get Microsoft software at a terrific discount, if they work for the right employer:

"Lots of companies have 'home use' agreements with Microsoft, including military, civilian employees, and contractors working for the U.S. government. Participation in the Home Use Program (HUP) lets you obtain a licensed copy of Microsoft Office and selected additional desktop applications (such as Front Page, Project, and Visio) to install and use on your home computer for a nominal cost. To participate, go to the HUP Web site and follow the instructions.

"In addition to HUP, Microsoft also offers the Employee Purchase Program (EPP), which is available to government personnel (military, civilian employees, and contractors). The EPP lets participants purchase some of Microsoft's most popular consumer software and hardware at discounted prices (Office, Windows XP/Vista, Money, etc.). To participate, go to the EPP Web site and follow the instructions."

Microsoft's Home Use program does offer amazing discounts for those who qualify. To do so, however, you'll have to work for an organization that is signed up with Microsoft's Software Assurance volume-licensing program. The program is designed to let employees work at home using the same software they do at work.

Consequently, the software available to you depends on what software your organization has licensed. One reader who uses this program, Evan Orensky, wrote to say that he got a copy of MS Office 2007 Enterprise for just a fulfillment fee, which in his case was US$20, plus tax. "The license is valid for as long as you work for the company, and as long as the company maintains its Software Assurance coverage," he adds.

OEM discounts can apply to end users

Some readers thought an interpretation of OEM software licensing terms that we printed in the May 3 newsletter was too restrictive. Michael Sullivan writes:

"Your article suggests that only 'authorized dealers' can sell Microsoft Windows OEM software. I don't think this is accurate. The OEM license, which you [Susan Bradley] post on your site, and which is also available at Microsoft's site, makes clear that the license only applies if a 'system builder' accepts the license agreement by opening the package. If the package is unopened, the agreement is inapplicable and the owner may 'transfer' (i.e., sell) the package intact to another 'system builder.'

"Are Amazon or Newegg system builders? I don't think so. Are they selling OEM packages? Yes. Are they bound by any shrink-wrap licensing restrictions on packages they don't open? No way.

"You are correct in stating that a person opening the package must become a 'system builder' by registering with the Microsoft Partner Program, at least to the extent the shrink-wrap license is legally binding, which is by no means clear. This requirement is not stated in the agreement itself, but is incorporated into it through the back door by insisting that the license is only valid if the OS is preinstalled using certain tools that, it turns out, are only available if one registers as a system builder.

"In any event, one doesn't have to be a system builder on the scale of Michael Dell to qualify. If a computer builder, who can be an individual, registers and uses the tools provided, he or she can legally buy the OEM software from anyone (such as Amazon or Newegg) — not just Microsoft's half-dozen authorized distributors — and preinstall it with the designated tools on computers for his or her customers."

A similar point is made by another reader, Sean Toner, who writes to point out that the OEM license agreement actually defines a system builder more broadly than one might assume. It states that a system builder is "an original equipment manufacturer, an assembler, refurbisher, or pre-installer of software on computer systems."

Still another reader, Poul Andeersen, cites a Microsoft posting on the Small Business Community Blog stating that "OEM system builder software packs ... are not intended for distribution to end users. Unless the end user is actually assembling his/her own PC, in which case, that end user is considered a system builder as well." [emphasis added]

Such a statement suggests that hobbyists who are assembling or refurbishing a system may legitimately buy OEM system builder products.

More deals for Australian students

Finally, Lyn Hancock writes in with another way for Australian students to get software through an academic discount.

"The most surprising deal that I have seen for university students is from Microsoft itself! Check out Microsoft's Unistudentoffer site as well as their It's Not Cheating site. The offer of a perpetual license for Microsoft Office Ultimate 2007 is unbelievable!

"Basically, if you have a valid Australian university e-mail address, you can purchase either a 12-month license for this bundle for AU$25 (about US$21) or a perpetual license for AU$75 (US$62). The only catch is that the offer is valid for only three months, which ends on May 28."

Thanks for the tip, Lyn!

TELL A FRIEND

How you can share this information

We love it when you send your friends links to our articles. But please don't forward your copy of our e-mail newsletter to people, which subjects us to spam complaints. Instead, simply suggest that your friends visit this issue's permanent Web address, shown below. A complete index at the bottom of the Web page provides you with hyperlinks to any article you'd like to recommend.

The address of this issue is http://WindowsSecrets.com/comp/070510

EDITOR'S BOOKSHELF

Windows Vista Secrets

Get the tips you need about Windows Vista
The all-new Windows Vista Secrets helps novices and experts alike understand Microsoft's latest operating system. "To really appreciate what is in Vista, you almost need to read through the leading book on the product, Windows Vista Secrets, by Brian Livingston and Paul Thurrott," writes Rob Enderle, principal analyst of the Enderle Group, in TechNewsWorld. "It's 595 pages of things you can do with this product — most of which you probably wouldn't have discovered for some time, let alone right at first." Check the book out now for tips you can use.
More information: United States / Canada / Elsewhere

Spam-Proof Your E-Mail Address, 2nd Ed.

Spam-Proof Your E-Mail Address, 2nd Ed.
This 32-page e-book by Brian Livingston gives you step-by-step instructions that can prevent 97% of the spam that would otherwise clog an e-mail account. You could call it "Livingston's Spam Secrets." The PDF e-book is the result of months of experiments and tests we conducted. We now receive little or no spam to the addresses we used as guinea pigs. These tests show that you can make your e-mail addresses invisible to spammers, not just battle an ever-growing flood. The methods we describe work with Windows, Apple, and Linux and don't require any filters or block lists — but you can use those in addition to the book's techniques, if you wish. More info

WACKY WEB WEEK

The world's first IT professional

First IT pro

We tend to take our company's helpdesk, IT, and support personnel for granted — until something goes wrong. But do you know how far back this venerable profession goes? Have you ever wondered how IT pros of ancient days helped employees with the earliest word-processing systems?

This side-splitting video, recently posted on YouTube, takes a stab at answering those questions with a short sketch about the first "operating system" — the book! Play the video

INDEX

The following topics appear in the free version

TOP STORY	Driver signing is a failure for Vista
	Why digital signing matters to you
	How driver signing works
	The new world order of x64 Vista drivers
	Digital signing does nothing to stop hackers
	How digital signing burdens developers
	Microsoft can do better than this

KNOWN ISSUES	Readers' revelations on DEP and software discounts
	Finding hardware DEP support in XP
	Detecting DEP settings in XP
	Windows, not your browser, controls DEP
	Even more discount programs for MS software
	OEM discounts can apply to end users
	More deals for Australian students

WACKY WEB WEEK	The world's first IT professional

You get all of the following in the paid version
PC TUNE-UP	How to spot your enemies on the Internet
	Use specialized toolbars to surf safely
	A sneak peek at Firefox 3.0
	Hints of what IE 8.0 might bring
	How to make a bootable USB Flash drive

OVER THE HORIZON	Dangerous .doc files and phishing attacks
	DLL flaw can cause Explorer to crash
	IE 7 local resource enables phishing attacks

PATCH WATCH	Critical patches for Exchange and your workstations
	Word 2000 finally gets its fix
	Internet Explorer update provides printing fixes
	Exchange needs a critical patch
	DNS patch fixes Windows servers
	Critical Office threats arrive via e-mail
	Biztalk patch may be needed for crypto, too
	Finally, a real 'svchost.exe' fix

Paid subscribers can access all old and new paid newsletter content Make a contribution to support our research into Windows and you'll immediately be able to read and search through scores of valuable articles. In addition, paid subscribers are entitled to download valuable content that we license for you at least once every calendar quarter. To upgrade, simply make a contribution of any amount you choose. If you do this by May 16, 2007, you'll instantly be sent the full, paid version of today's newsletter. To upgrade to the paid version of the Windows Secrets Newsletter, please visit our upgrade page. Thanks in advance.

YOUR SUBSCRIPTION

The Windows Secrets Newsletter is published weekly on the 1st through 4th Thursdays of each month, plus occasional news updates. Vacation breaks occur in late August, Thanksgiving Week, and Christmas/New Year's.

Publisher: WindowsSecrets.com, Attn.: #120 Editor, 1700 7th Ave., Suite 116, Seattle, WA 98101-1323 USA. Vendors, please send no unsolicited packages to this address (readers' letters are fine).

Editorial Director: Brian Livingston. Editor-at-Large: Fred Langa. Associate Editor: Scott Dunn. Contributing Editors: Susan Bradley, Mark Edwards, Woody Leonhard, Chris Mosby, Ryan Russell. Research Director: Vickie Stevens. Program Director: Brent Scheffler. Managing Editor: Jody Braverman.

Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, LangaList, LangaList Plus, WinFind, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of WindowsSecrets.com LLC. All other marks are the trademarks or service marks of their respective owners.

HOW TO SUBSCRIBE: Anyone may subscribe to this newsletter by visiting our free signup page.

WE GUARANTEE YOUR PRIVACY:

1. We will never sell, rent, or give away your address to any outside party, ever.
2. We will never send you any unrequested e-mail, besides newsletter updates.
3. All unsubscribe requests are honored immediately, period. Privacy policy

HOW TO UNSUBSCRIBE: To unsubscribe from the Windows Secrets Newsletter,

Visit our Unsubscribe page.

Copyright © 2007 by WindowsSecrets.com LLC. All rights reserved.