Microsoft has released a Microsoft security advisory about this issue for IT professionals. The security advisory contains additional security-related information. Referred to as the Rootkit Evasion Prevention tool, SA (2506014) is actually a refresh of the Windows Operating System Loader (winload.exe).
Following the installation of KB 2506014, rootkits will no longer be able to cling to life on compromised Windows machines by exploiting a method which allows for unsigned drivers to be loaded by winload.exe.
Since signed drivers are mandatory only for 64-bit variants of Windows, the Rootkit Evasion Prevention Tool is also available only for supported x64 copies of Windows, including Windows 7 SP1 RTM. (download links at the bottom of this article)
The software giant detailed the issue that enables rootkits to survive post-infection:
During the boot process, winload.exe determines the signed state of system binaries. Certain inadequacies in this process allow unsigned binaries to be loaded. When this occurs, Windows is unable to guarantee the integrity of certain core operating system components.
The main characteristic of a rootkit is the fact that it’s designed to remain hidden, undetected by other malware or by security solutions.
In this regard, the update for the Windows Operating System Loader will make it harder for rootkits not to be sniffed by anti-malware programs.
“This update increases the difficulty of rootkits from hiding, but since it doesn’t address a security vulnerability, it would not prevent a future malware infection from occurring,” the Redmond company explained.
Download for x64-based Systems (KB2506014):