About | Buy Stuff | News | Products | Rants | Search | Security
Home » News » Roundups

Microsoft's Mark

To everything a price.

Get It

Try It

Mark Russinovich used to be one of the hero warriors of the Windows platform. If anyone doubted his becoming a 'Microsoft fellow' in 2006 would also mean switching sides there's only to read up on the latest hypervisor brouhaha.

For those short on memory Russinovich is most known for discovering the SonyBMG DRM rootkit. Others may remember his work with Andrew Schulman in uncovering Bill Gates' infamous 'AARD code' and his discovery that Windows NT Server and Windows NT Workstation, despite a dramatic disparity in licensing costs, differed only in two Registry keys closely guarded against tampering.

Still others might remember him for debunking Steve Gibson's attempt to stir the pot in the WMF debacle with wild and incompetent accusations Microsoft had back doors in their code.

Together with Bryce Cogswell Russinovich ran the immensely popular Sysinternals website and even the commercial spinoff Winternals website. Then on 18 July 2006 Bill Gates acquired Russinovich lock stock and barrel. And those who were familiar with Russinovich's work already understood the worst.

Everyone's Joanna

Joanna Rutkowska is the new Mark Russinovich, perhaps even surpassing him in ambition and skills. Based in Poland, Joanna works for a company in Singapore and spends a great deal of her time trotting the globe to appear at security dos.

For the year 2007 she's already booked through to the summer with stop-offs in Hamburg, Washington DC, New York, London, the Netherlands, and Krakow.

The delightful Joanna was cited by eWEEK as one of the five most influential 'hackers' of 2006.

Joanna is perhaps best known for her presentation at Black Hat on 4 August 2006 which included two nearly foolproof methods to completely bypass the security 'scheming' of Microsoft's new OS.

The second of these methods dubbed Blue Pill drew the more attention: it exploits 'hypervisor' virtualisation and is reputedly 100% undetectable.

Invisible Things

Joanna posted a new article assessing Microsoft's new OS and its 'security model' as being a 'big joke' at her aptly named blog 'Invisible Things' on 4 February.

One thing that I found particularly annoying though is that Vista automatically assumes that all setup programs (application installers) should be run with administrator privileges. So when you try to run such a program you get a UAC prompt and you have only two choices: either to agree to run this application as administrator or to disallow running it at all. That means that if you downloaded some freeware Tetris game you will have to run its installer as administrator, giving it not only full access to all your file system and Registry, but also allowing eg to load kernel drivers! Why should a Tetris installer be allowed to load kernel drivers?

And Joanna goes on to explain exactly why this happens and has even forecast that unless Microsoft do something about this 'blooper' their security status quo will be worse than XP in a matter of weeks.

She also points out that her own workarounds for XP won't work anymore.

Even though it's possible to disable heuristics based installer detection via local policy settings, that doesn't seem to work for those installer executables which have an embedded manifest saying they should be run as administrator.

I see the above limitation as a very severe hole in the design of UAC.

Mark to the Rescue?

But Mark Russinovich is no longer in the bug hunting (or scandal hunting) business. As he's now employed by Bill Gates as Mr Damage Control he can be called out whenever Gates' corporate revenues are threatened.

Because elevations and ILs don't define a security boundary, potential avenues of attack, regardless of ease or scope, are not security bugs.

Both Mark Russinovich and his new employer seem to believe in this method of fixing security issues: reclassify them and most people (and especially the media) will be too confused to follow along anymore.

Save for those who dare take the Red Pill.

All Base No Longer Belong To

And Mark Russinovich's fan base is long gone if the reaction to his 'sellout' at his own blog be any indication. Following are a few choice comments from 18 July 2006.

You chose the blue pill?!
 - Anonymous

One of the reasons you have been successful is you have been free to be critical of MS and free to point out problems with Windows. Joining forces with MS may mark the end of that freedom.
 - Tony Bean

I am sure you jest when you refer to Windows as the 'most important OS on the planet'. Already you are showing the sad influence of the $$$ from Microsoft.
 - Anonymous

Can't blame you much for looking after your families. Thank goodness Linux cannot be bought up as well.
 - Anonymous

Looks like all top people in MS have leaked out to Google. They now need someone to get things on the right track. Who else could they think of?
 - Anonymous

I can't imagine a sum of money large enough to make me pretend, large enough to make me speak or remain silent at the whims of another.
 - Anonymous

Sorry mate, but you have sold yourself and all your work to the absolutely worst organisation.
 - Anonymous

See Also
Sony, Rootkits and Digital Rights Management Gone Too Far
EFF: Sony BMG Litigation
Business Week: Sony's Copyright Overreach
CNET: New spyware claim against Sony BMG
On My Way to Microsoft!
CNET: Vista hacked at Black Hat
Invisible Things: Running Vista Every Day!
Invisible Things: Vista Security Model - A Big Joke?
Invisible Things: Confusion About The 'Joke Post'
PsExec, User Account Control and Security Boundaries

About | Buy | News | Products | Rants | Search | Security
Copyright © Radsoft. All rights reserved.