just wanted to clear up a common misconception here, after i (again) had a lot of discussions with different people about that topic yesterday:
as you might have heared, in the 64 bit version of windows vista only signed kernel modules are allowed, which of course affects also device drivers.
yes i think this is a great thing. and yes: i wish that would have been enforced in x86 as well, but i understand that this would break so much hardware compatibility that this wouldn’t be accepted by customers.
since x64 drivers have to be developed new anyway, it’s a good chance to start new… this time WITH security in mind.
a common misunderstanding on that topic seems to be that Microsoft has to sign the drivers. which often leads to a lot of ranting like "this will cost a shitload of money" or "Microsoft tries to get rid of open source device developers with that".
just to clarify:
the driver has NOT to be signed by microsoft. it has to be signed by whichever trusted certificate authority on that system!
so OEMs/driver developer can even self-sign their drivers if they deliver the valid CA certificate with them.
go out, spread the word… 😉
this leads now to part three:
yes, this also opens the chance for self-signed rootkits… but that’s a different topic i might cover in a later, bigger post after my vacation 🙂