Microsoft has blocked the attack vector used to slip unsigned drivers past new security policies being implemented in Windows Vista, according to Joanna Rutkowska, the stealth malware researcher who created the exploit. Rutkowska, who demonstrated the exploit at the Black Hat conference in August, said she tested the attack against Windows Vista RC2 x64 and found that the exploit doesn't work anymore.  "The reason: Vista RC2 now blocks write-access to raw disk sectors for user mode applications, even if they are executed with elevated administrative rights," Rutkowska wrote on her Invisible Things blog. Rutkowska, a Windows Internals expert at Singapore-based IT security firm COSEINC, however warned that the way the exploit is being blocked could be problematic and cause application compatibility issues.

Imagine a company wanting to release e.g. a disk editor. Now, with the blocked write access to raw disk sectors from usermode, the company would have to provide their own custom, but 100% legal, kernel driver for allowing their, again 100% legal, application (disk editor), to access those disk sectors, right? Of course, the disk editor's auxiliary driver would have to be signed - after all it's a legal driver, designed for legal purposes and ideally having neither implementation nor design bugs! But, on the other hand, there is nothing which could stop an attacker from "borrowing" such a signed driver and using it to perform the pagefile attack. The point here is, again, there is no bug in the driver, so there is no reason for revoking a signature of the driver. Even if we discovered that such driver is actually used by some people to conduct the attack! But it seems that MS actually decided to ignore those suggestions and implemented the easiest solution, ignoring the fact that it really doesn't solve the problem…