Microsoft Security Advisory 2506014
Update for the Windows Operating System Loader
Published: April 12, 2011
Microsoft is announcing the availability of an update to winload.exe to address an issue in driver signing enforcement. While this is not an issue that would require a security update, this update addresses a method by which unsigned drivers could be loaded by winload.exe. This technique is often utilized by malware to stay resident on a system after the initial infection.
The issue affects, and the update is available for, x64-based editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. For more information about this release, see Microsoft Knowledge Base Article 2506014.
For more information about this issue, see the following references:
|Microsoft Knowledge Base Article||2506014|
Affected and Non-Affected Software
This advisory discusses the following software.
|Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2|
|Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2|
|Windows 7 for x64-based Systems and Windows 7 for x64-based Systems Service Pack 1|
|Windows Server 2008 R2 for x64-based Systems and Windows Server 2008 R2 for x64-based Systems Service Pack 1|
|Windows XP Service Pack 3|
|Windows XP Professional x64 Edition Service Pack 2|
|Windows Server 2003 Service Pack 2|
|Windows Server 2003 x64 Edition Service Pack 2|
|Windows Server 2003 with SP2 for Itanium-based Systems|
|Windows Vista Service Pack 1 and Windows Vista Service Pack 2|
|Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2|
|Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2|
|Windows 7 for 32-bit Systems and Windows 7 for 32-bit Systems Service Pack 1|
|Windows Server 2008 R2 for Itanium-based Systems and Windows Server 2008 R2 for Itanium-based Systems Service Pack 1|
What is the scope of the advisory?
This advisory provides clarification and notification of the availability of a non-security update to address an issue in driver signing enforcement. The update addresses a method by which unsigned drivers could be loaded by winload.exe. This technique is often utilized by malware, such as rootkits, to stay resident on a system after the initial infection. The issue affects the software that is listed in the Affected Software table above.
What causes this issue to occur?
During the boot process, winload.exe determines the signed state of system binaries. Certain inadequacies in this process allow unsigned binaries to be loaded. When this occurs, Windows is unable to guarantee the integrity of certain core operating system components.
What is the Windows OS Loader (winload.exe)?
The Windows OS Loader (winload.exe) loads the Windows Kernel and its dependencies as well as the boot-start drivers. This component also contains code that queries a system's BIOS to retrieve basic device and configuration information. This application is part of the operating system and loads a specific version of Windows. It uses the firmware to load the operating system kernel and to boot critical device drivers from a local hard disk.
What is driver signing?
Driver signing associates a digital signature with a driver package. Windows device installation uses digital signatures to verify the integrity of driver packages and to verify the identity of the vendor (software publisher) who provides the driver packages. In addition, the kernel-mode code signing policy for x64-based editions of Windows Vista and later versions of Windows specifies that a kernel-mode driver must be signed for the driver to load. For more information on driver signing, see the MSDN article, Driver Signing.
What is a rootkit?
A rootkit is a program whose main purpose is to perform certain functions that cannot be easily detected or undone by a system administrator, such as hide itself or other malware.
Does this update remove a rootkit from an infected system?
No. The update prevents a known method that rootkits use to hide from anti-malware programs. Even after the update is installed, a system infected with a rootkit will still need to be cleaned through some other means.
How can I determine if my system is infected with a rootkit?
Once the update is applied, an installed anti-malware program should be able to detect the rootkit and inform you of its presence.
How do I uninstall a rootkit?
Manual removal is not recommended for most rootkits. Use the Microsoft Malicious Software Removal Tool, Microsoft Security Essentials, Windows Live OneCare safety scanner, or another up-to-date scanning and removal tool to detect and remove this threat and other unwanted software from your computer. For more information on Microsoft security products, see http://www.microsoft.com/protect/products/computer/default.mspx.
Will this update prevent future infections from occurring?
No. This update increases the difficulty of rootkits from hiding, but since it does not address a security vulnerability, it would not prevent a future malware infection from occurring.
Why is this update only available for x64-based systems?
Driver signing is not a requirement of 32-bit editions of the listed Windows operating system versions. Itanium-based systems are not impacted by this issue.
I am a developer who ships signed binaries. Will this update require me to re-sign all of my binaries?
No. This update does not require any changes to existing signed binaries.
How will Microsoft list this update on the Windows Update Web site?
The update for the Windows kernel is a high-priority update on the Windows Update Web site. On the Windows Update site, it will be listed in the "High Priority" Updates category for customers who have not received the update already and are running the software listed above.
Will this update be distributed over Automatic Updates?
Yes, this update is distributed over Automatic Updates to systems listed in the Affected Software table above.
Is this an update that requires a bulletin?
No, this is not an issue that requires a Microsoft security bulletin and security update. In order for a program to execute code as described above, the program must already be executing at privileged level. The update makes changes to help ensure that only intended programs that have been signed by a valid certificate authority can execute in winload.exe during the boot phase.
This is a security advisory about a non-security update. Isn't that a contradiction?
Security advisories address security changes that may not require a security bulletin but may still affect customer's overall security. Security advisories are a way for Microsoft to communicate security-related information to customers about issues that may not be classified as vulnerabilities and may not require a security bulletin, or about issues for which no security bulletin has been released. In this case, we are communicating the availability of an update that affects your ability to perform subsequent updates, including security updates. Therefore, this advisory does not address a specific security vulnerability; rather, it addresses your overall security.
Review the Microsoft Knowledge Base Articles that are associated with this advisory
We encourage customers to install these updates. Customers who are interested in learning more about these updates should review Microsoft Knowledge Base Article 2506014.
For more information about the terminology that appears in this advisory, such as "update," see Microsoft Knowledge Base Article 824684.
Protect Your Computer
We continue to encourage customers to follow our Protect Your Computer guidance of enabling a firewall, getting software updates and installing antivirus software. Customers can learn more about these steps by visiting Protect Your Computer.
Keep Windows updated
All Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit Windows Update, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure you install them.
Microsoft Active Protections Program (MAPP)
To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections Web sites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners.
- You can provide feedback by completing the Microsoft Help and Support form, Customer Service Contact Us.
- Customers in the United States and Canada can receive technical support from Security Support. For more information about available support options, see Microsoft Help and Support.
- International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit International Support.
- Microsoft TechNet Security provides additional information about security in Microsoft products.
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- V1.0 (April 12, 2011): Advisory published.
Built at 2014-04-18T13:49:36Z-07:00