Boot Record Rootkit Threatens Vista, XP, NT

Paul sends us word on a new exploit seen in the wild that attacks Windows systems completely outside of the control of the OS. "Unfortunately, all the Windows NT family (including Vista) still have the same security flaw — MBR [Master Boot Record] can be modified from usermode. Nevertheless, MS blocked write-access to disk sectors from userland code on VISTA after the pagefile attack, however, the first sectors of disk are still unprotected... At the end of 2007 stealth MBR rootkit was discovered by MR Team members (thanks to Tammy & MJ) and it looks like this way of affecting NT systems could be more common in near future if MBR stays unprotected."

Like it matters

[ILuvRamen]

They can fix the hell out of it and it would still be vulnerable. What if someone wrote a super small bootable virus, then the virus' initial form used Partition Magic-like functionality to write its own partition and stick the virus on it then tell the computer before restarting to boot from that one. Then the virus can do whatever it wants to the MBR or basically anything else on the drive cuz no files or anything would be open. I'm pretty sure Windows can't protect the MBR if it isn't running.

Foolproof Windows?

[Archangel+Michael]

"something I thought windows already did (and if it doesn't, there's really no excuse for it not to) - but that's far from foolproof."

Windows is made for fools ... and grandmas ... and CEOs. Besides, If you make something foolproof (VISTA) only fools will use it.

Re:Misleading...

[Jesus_666]

I don't want to know the kind of screwed up configuration which has the guest account running with administrator rights.