Aussies rage against the Microsoft machine over Vista security feature

Computerworld - Linchpin Labs, a small Australian security company whose free utility Microsoft has blocked from loading unsigned drivers into Windows Vista, today lashed out at the American giant. Microsoft, said Linchpin, should set its own security house in order before it accuses other developers of turning their legitimate software into threats.

Earlier this month, Sydney-based Linchpin released Atsiv, a program that uses a signed driver to load other, unsigned drivers into the 64-bit Vista kernel, behavior that Microsoft said late last week evades a Vista security feature. In 64-bit Vista, only drivers accompanied by a valid digital certificate may load into the kernel; the provision is meant to stymie hackers from infiltrating the kernel with, among other things, malware-cloaking rootkits. Thursday, working with VeriSign Inc., which had issued the Atsiv certificate, Microsoft got Atsiv's signing key revoked, blocking the utility from loading its driver.

Calling the certificate-bearing utility a "potential as well as actual security threat," Microsoft said it also recently added signatures to its antispyware program Windows Defender to detect, block and remove Atsiv's current driver.

On Monday, in response to e-mailed queries by Computerworld, Linchpin defended its software as legitimate. "[Atsiv] assists users of Microsoft Vista that are currently unable to use legacy hardware without signed drivers, and casual developers (such as hobbyists) that are not able to use a company's signing certificate," the company said. "With Atsiv, consumers could once again make use of their legacy hardware, actually increasing [emphasis in original] the user experience of Microsoft Windows Vista."

Even so, it knew when it was beat. "Linchpin Labs will not be acquiring a new certificate to support Atsiv, as Microsoft would undoubtedly push to revoke it as well," the statement read.

"[But] Atsiv does not threaten the user, nor does it provide anonymity to the client drivers that it is used to load," the company said before launching into a serious of rhetorical questions. "What is Microsoft doing to protect the consumer from actual malicious software for which Microsoft does not have a signature? What about signed drivers that contain exploitable vulnerabilities? What about drivers signed and supported by the malware industry?"

As have users reacting to the blog posting in which Windows security architect Scott Field announced the revocation of Atsiv's certificate, Linchpin cast Microsoft's move as the first step on a slippery slope. "The fact [that] Microsoft has taken it upon itself to revoke the Atsiv certificate based on its own definition for malware sets a concerning precedent, one that should not be ignored," Linchpin said. "What if anti-SRE [software reverse engineering] software from company X incorporates a stealth service to help protect products? What if software from company Z implements a system for injecting and running Linux drivers in the Windows kernel?"