Hi, it’s Scott Field, Windows Security Architect, again. Microsoft recently became aware of a third party kernel mode driver named “Atsiv” which provides a deliberate means of loading code that conflicts with the Kernel Mode Code Signing (KMCS) policy included in Windows Vista x64 editions. In Windows Vista x64 editions, the default KMCS policy is to only allow code to load into the kernel if it has been digitally signed with a valid code signing certificate.

The Atsiv driver also provides a means to load unsigned kernel mode code in a manner that is not visible through operating system provided API interfaces (such as the EnumDeviceDrivers() API), and this may allow the code to hide from view of commonly deployed tools. Installing the Atsiv driver requires administrative privileges, so there is no security vulnerability related to the default case in Windows Vista where users run with limited permissions through the User Account Control feature.

Microsoft is committed to protecting its customers from potential as well as actual security threa[t]s; accordingly, we are responding to this issue as follows:

1. Windows Defender released a signature update on August 2, 2007 that allows detection, blocking, and removal of the current Atsiv driver. Classification of the Atsiv software was done in accordance with the objective criteria used by the Windows Defender team to assess the characteristics of potentially unwanted software.
2. Certificate revocation has occurred as of August 2, 2007. Microsoft has worked with partners in the code signing certification authority ecosystem to assess the Atsiv issue. VeriSign has revoked the code signing key used to sign the Atsiv kernel driver, which means the code signing key will no longer be considered valid.
3. The security team at Microsoft is investigating adding the revoked key to the kernel mode code signing revocation list, as an additional defense in depth measure. The kernel mode revocation mechanism requires a system reboot in order for the new revocation list to take effect, which is consistent with other Microsoft updates which require and subsequently trigger a reboot.