Windows

Bug in ATI driver throws Vista wide open


Microsoft is currently working with AMD to fix a bug in an ATI driver that ships preinstalled on millions of laptops. In effect, this bug leaves the kernel of Vista wide open via the loading of unsigned drivers.

If you recall, we mentioned earlier this month about the glaring loophole in the requirement for signed drivers. In Vista kernel defenses defeated the rogue kernel driver "Atsive" (Vista spelled backwards) allowed arbitrary drivers to essentially boot-strap themselves using its own valid-signed certificate. It has since had its certificate revoked.

The argument behind the creation of Atsiv was the ease of which it is possible to create a company and acquire a valid certificate within "a very short period of time and at a low cost, which raises the question as to what driver signing actually represents."

Then along came Black Hat, where research from Rutkowska and Alex Ionescu isolated a vulnerability in the ATI driver, which Ionsecu packaged into a tool called Purple Pill. An ATI-signed driver was embedded in Purple Pill and was allowed to run, after which malicious code could be boot-strapped using the bug -- similar to how Atsiv worked.

Why can't Microsoft just pull the ATI driver's signing certificate this time round then?

Quote from eWeek: "Because there would be an ocean of stranded users, given its widespread install base."

Says Whitehouse: "ATI hardware is very common. The driver is used extensive in laptops around the globe."

Fancy starting Monday morning to find the 500 PCs on your corporate network down with the screen flashing a "Video Driver Error" message? Shudder.

Do you think Microsoft should just do away with compulsory driver signing?

--------------------------------------------------------------------------------

Stay on top of the latest tech news

Get this news story and many more by subscribing to our free IT News Digest newsletter, delivered each weekday. Automatically sign up today!

About

Paul Mah is a writer and blogger who lives in Singapore, where he has worked for a number of years in various capacities within the IT industry. Paul enjoys tinkering with tech gadgets, smartphones, and networking devices.

15 comments
raisch
raisch

If Microsoft had designed Vista "from the ground up" as a secure operating system, badly behaved device drivers would not be able to compromise system integrity because they wouldn't be allowed to, *by design*, in which case, choke-hold bureaucratic controls like "driver signing" would be completely unnecessary. But rather than a secure operating system, Vista--like its predecessor XP--is little more than a handful of embellishments tacked on to Microsoft's existing NT operating system codebase. Since NT was created well before the idea of an "always connected", globally networked personal computer had caught on, it was never designed with an appreciation for the dangers created by exposing a computer to the predations found "out there". When NT, and products built upon it, is exposed to the wild flora and fauna of such an global environment, its original design--inappropriate to its current use--has proven fundamentally insecure. Going further, this primary design problem is compounded by several of Microsoft's architectural decisions in the upper layers of the operating system: the worst being how the OS service management and UI layers are so deeply and irretrievably "coupled". Coupling is a design concept that describes a condition where components of a system are made reliant upon each other in ways that expose the whole system to severe reliability problems. The most public example of coupling in Windows is Microsoft's inability to ship a version of the operating system that doesn't contain the Internet Explorer web browser. Rather than being a self-contained product, IE is little more than a well-designed user interface built on and reliant upon a varied collection of shared system libraries which allow it to interact with the user, the operating and file systems, the network, etc. But since the libraries in question are used in other places throughout the operating system (including the Desktop, the Windows Help system, and perhaps most importantly Windows Update), they must also have unfettered access to protected system resources to fulfill their other duties. This coupling wouldn't be as much of a concern if these libraries had been designed to accommodate both potentially problematic user processes as well as controlled system services, but they were not (and cannot be due to the underlying security issues inherent in the base operating system.) So it appears more likely that the severest security issues we have experienced in Internet Explorer are due to the browser's coupling to these underlying libraries than to any problem in the browser itself. (Microsoft is required to distribute a version of Windows in Europe that does not include Internet Explorer but in reality, it only lacks IE's user interface; the underlying libraries are still there and usable by any program.) From this evidence, it appears clear that this rampant and continuing insecurity of Microsoft's operating system products is not a failure of its underlying codebase but a direct result of Microsoft's refusal to re-design its products to safely coexist in this new, harsh, and uncontrolled computing ecosystem. (This is really nothing more than Microsoft's unwillingness to assume the expense of producing products that can be relied upon to be trustworthy, reliable, and secure.) Counter to standard software design praxis, Microsoft appears to believe that Vista can be made secure through the re-design of select kernel elements (without considering the kernel's architecture as a whole), the addition of new cryptographically secure, but bureaucratically unsupportable, "gatekeeper" services, and by a continual process of patching existing, insecure ones. But any competent systems architect knows that if security is a primary and fundamental concern, it must be *designed* into a system from its first conceptual ideation. An obvious corollary of this rule is that security cannot be "retrofitted" onto any existing, insecure system. Further, competent architects are very much aware of the dangers of coupling user applications and system services due to their varying requirements and responsibilities. So the sad conclusion for consumers is this: that Vista--as currently designed--cannot be made secure no matter what resources Microsoft throws at the problem.

Tony Hopkinson
Tony Hopkinson

there is no commercial reason to rebuild windows from scratch and an absolute shed load to keep the current 'design' philosophy. MS's metier is accessibility, they designed well enough for that to capture the markeet and to give them the muscle to keep it. As long as they have some spit left, this turd will keep being polished. Not an MS specific failing either, just about every shrink wrap commecial software producer, suffers in exactly the same way. The first casualty in the war to produce commercial software is code / design quality.

TranceWarp
TranceWarp

As Vista is basically a reworking of the NT kernal (again), there is nothing that can be done to totally secure any version of Windows. Microsoft would actually have to write the OS from scratch. However, because it took so long between the release of XP and Vista, someone would have thought that the OS 'was' all original code. Oh, well...

bfreed
bfreed

Yes -do away with it. Driver signing has seemed more to be a profit center for Microsoft than an assurance that the drivers are OK. This doesn't surprise me that this has become another attack surface. Dump driver signing as it routinely gets ignored anyway.

Absolutely
Absolutely

"Do you think Microsoft should just do away with compulsory driver-signing?" I think that's their problem to figure out. I suspect they'll make Windows pretty usable before the majority of the tens of millions of first-month purchases of Vista make their way from the OEMs' warehouses to customers' desks. ATI, remember, recently merged with, or was purchased by, AMD. The chances that operations were 100% uninterrupted ... & even before joining AMD, ATI established a track record of frequent & substantial changes to their software. Their technical support is prompt & courteous, but it would be better to write software that doesn't necessitate so much tech support.

jmgarvin
jmgarvin

Their drivers have always been buggy and pretty flaky. I mean, look at the hacks they've thrown in to get their hardware working properly with Vista (which is why there is a hole). It's pretty bizarre when you think about the state of driver writing today.

Neon Samurai
Neon Samurai

I've heard nothing but ill will towards ATI's hardware drivers. A driver update breaks the ATI media player. A media player update breaks the ATI driver. Update both chunks of software together and you may get a working system less the odd frequent video software crash. Ok, I'm a little bitter though it's due to years and years of purchasing ATI product and thinking "maybe the new hardware and drivers will work better together." Maybe AMD can save ATI if they manage save there own processor business first. I'd happily go back to the All In Wonder series and save using the pci slot soon to be consumed by hauppage.

paulmah
paulmah

Do you think Microsoft should just do away with compulsory driver-signing?

fricative57
fricative57

Absolutely. Flexibility is not always a bad thing.

jeffro in Berkshire
jeffro in Berkshire

Just because the odd person forgets the keys to their cars or homes did we do away with locks - I think not. Whilst I agree this is off on a tangent, the concept is the same. The industry is ridiculed day in day out for the systems we use being insecure or circumvented via an old hole in the software, why is it then when something is put in place to assist in the securing of the O/S that a certain section of society want rid of this new restriction. To make things worse its a section within our own industry! Whilst there is still a proportion of the population who have nothing better to do than pick at the software then the industry has to engage more people to find other ways of securing the software and associated systems. To those of you whom this concerns!....Find something better to do with your time and allow us to get on with our jobs Whilst I agree that the holes should not be there in the first place there is a but and it is a BIG BUT, the software is written by people and people make mistakes! get over it and get on with it!... If some of these mistakes were not made we would not have the technology we have today

raisch
raisch

The reason our industry has become a target for such "ridicule" is because it has shown itself--almost universally--to be: - incapable of understanding or appreciating the requirements of modern, globally-connected computing, - surprisingly ignorant of our current understanding of the requirements of reliable software architecture and design, - apparently unaware of the myriad lessons to be learned from previous security failings, and - largely unsympathetic to the needs of its customers. And while I only have the evidence of my own experience, I suspect this is due to a dearth of software "engineers" rather than "paint inside the lines" coders.

raisch
raisch

Using your analogy, if I chose to install a defective lock on the front door of my home, not only would I provide free access to all of my possessions but I would also defeat all the locks in my town, exposing all of my neighbors to predation. Rather than any guarantee of security, driver signing is nothing more than a poorly considered, fragile stop-gap created to plug only one of the most obvious failings of a poorly-designed and fundamentally insecure system. Worse still, it imposes a reluctant third party between manufacturers and consumers; one that has shown itself ill prepared to shoulder the bureaucratic costs of "gatekeeping." And while I am not privy to the requirements imposed by Microsoft on manufacturers hoping to have their drivers "signed", I would be very surprised to find they included the imposition of reliable engineering design constraints or comprehensive regression testing.

Tony Hopkinson
Tony Hopkinson

Signing is nothing to do with locks and keys, it's to do with only buying them from people who've give the car manfacturer a cut. The rest of your argument leaves a very bad taste in my mouth, I prefer to believe I add much more value as a developer than successfully implementing a poorly thought out requirement most of the time. You should too.

eknebs
eknebs

Most individuals who benefit from the driver signing policy of microsoft are inexperienced end users, who would not know what to do if such apolicy were not in place. There would be a lot of trial and error installations which will result in a lot of crashed computers. By the way, I have benefited, even as I am a capable of doing my own testing and certification as a trained tecnician, saving time!

Tony Hopkinson
Tony Hopkinson

Not when this sort of drivel happens or some bad guy pays a few bucks for a certificate. Newbies see the shiny symbol, click, bang and good night. The only protect in it is racket.

Editor's Picks