Microsoft Security Advisory (2506014)

What is the scope of the advisory? 
This advisory provides clarification and notification of the availability of a non-security update to address an issue in driver signing enforcement. The update addresses a method by which unsigned drivers could be loaded by winload.exe. This technique is often utilized by malware, such as rootkits, to stay resident on a system after the initial infection. The issue affects the software that is listed in the Affected Software table above.

What causes this issue to occur? 
During the boot process, winload.exe determines the signed state of system binaries. Certain inadequacies in this process allow unsigned binaries to be loaded. When this occurs, Windows is unable to guarantee the integrity of certain core operating system components.

What is the Windows OS Loader (winload.exe)? 
The Windows OS Loader (winload.exe) loads the Windows Kernel and its dependencies as well as the boot-start drivers. This component also contains code that queries a system's BIOS to retrieve basic device and configuration information. This application is part of the operating system and loads a specific version of Windows. It uses the firmware to load the operating system kernel and to boot critical device drivers from a local hard disk.

What is driver signing? 
Driver signing associates a digital signature with a driver package. Windows device installation uses digital signatures to verify the integrity of driver packages and to verify the identity of the vendor (software publisher) who provides the driver packages. In addition, the kernel-mode code signing policy for x64-based editions of Windows Vista and later versions of Windows specifies that a kernel-mode driver must be signed for the driver to load. For more information on driver signing, see the MSDN article, Driver Signing.

What is a rootkit? 
A rootkit is a program whose main purpose is to perform certain functions that cannot be easily detected or undone by a system administrator, such as hide itself or other malware.

Does this update remove a rootkit from an infected system? 
No. The update prevents a known method that rootkits use to hide from anti-malware programs. Even after the update is installed, a system infected with a rootkit will still need to be cleaned through some other means.

How can I determine if my system is infected with a rootkit?
Once the update is applied, an installed anti-malware program should be able to detect the rootkit and inform you of its presence.

How do I uninstall a rootkit?
Manual removal is not recommended for most rootkits. Use the Microsoft Malicious Software Removal Tool, Microsoft Security Essentials, Windows Live OneCare safety scanner, or another up-to-date scanning and removal tool to detect and remove this threat and other unwanted software from your computer. For more information on Microsoft security products, see http://www.microsoft.com/protect/products/computer/default.mspx.

Will this update prevent future infections from occurring?
No. This update increases the difficulty of rootkits from hiding, but since it does not address a security vulnerability, it would not prevent a future malware infection from occurring.

Why is this update only available for x64-based systems?
Driver signing is not a requirement of 32-bit editions of the listed Windows operating system versions. Itanium-based systems are not impacted by this issue.

I am a developer who ships signed binaries. Will this update require me to re-sign all of my binaries?
No. This update does not require any changes to existing signed binaries.

How will Microsoft list this update on the Windows Update Web site?
The update for the Windows kernel is a high-priority update on the Windows Update Web site. On the Windows Update site, it will be listed in the "High Priority" Updates category for customers who have not received the update already and are running the software listed above.

Will this update be distributed over Automatic Updates?
Yes, this update is distributed over Automatic Updates to systems listed in the Affected Software table above.

Is this an update that requires a bulletin?
No, this is not an issue that requires a Microsoft security bulletin and security update. In order for a program to execute code as described above, the program must already be executing at privileged level. The update makes changes to help ensure that only intended programs that have been signed by a valid certificate authority can execute in winload.exe during the boot phase.

This is a security advisory about a non-security update. Isn't that a contradiction? 
Security advisories address security changes that may not require a security bulletin but may still affect customer's overall security. Security advisories are a way for Microsoft to communicate security-related information to customers about issues that may not be classified as vulnerabilities and may not require a security bulletin, or about issues for which no security bulletin has been released. In this case, we are communicating the availability of an update that affects your ability to perform subsequent updates, including security updates. Therefore, this advisory does not address a specific security vulnerability; rather, it addresses your overall security.

Review the Microsoft Knowledge Base Articles that are associated with this advisory

We encourage customers to install these updates. Customers who are interested in learning more about these updates should review Microsoft Knowledge Base Article 2506014.

For more information about the terminology that appears in this advisory, such as "update," see Microsoft Knowledge Base Article 824684.

Protect Your Computer

We continue to encourage customers to follow our Protect Your Computer guidance of enabling a firewall, getting software updates and installing antivirus software. Customers can learn more about these steps by visiting Protect Your Computer.

Keep Windows updated

All Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit Windows Update, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure you install them.