Microsoft is currently working with AMD to fix a bug in an ATI driver that ships preinstalled on millions of laptops. In effect, this bug leaves the kernel of Vista wide open via the loading of unsigned drivers.
If you recall, we mentioned earlier this month about the glaring loophole in the requirement for signed drivers. In Vista kernel defenses defeated the rogue kernel driver “Atsive” (Vista spelled backwards) allowed arbitrary drivers to essentially boot-strap themselves using its own valid-signed certificate. It has since had its certificate revoked.
The argument behind the creation of Atsiv was the ease of which it is possible to create a company and acquire a valid certificate within “a very short period of time and at a low cost, which raises the question as to what driver signing actually represents.”
Then along came Black Hat, where research from Rutkowska and Alex Ionescu isolated a vulnerability in the ATI driver, which Ionsecu packaged into a tool called Purple Pill. An ATI-signed driver was embedded in Purple Pill and was allowed to run, after which malicious code could be boot-strapped using the bug — similar to how Atsiv worked.
Why can’t Microsoft just pull the ATI driver’s signing certificate this time round then?
Quote from eWeek: “Because there would be an ocean of stranded users, given its widespread install base.”
Says Whitehouse: “ATI hardware is very common. The driver is used extensive in laptops around the globe.”
Fancy starting Monday morning to find the 500 PCs on your corporate network down with the screen flashing a “Video Driver Error” message? Shudder.
Stay on top of the latest tech news
Get this news story and many more by subscribing to our free IT News Digest newsletter, delivered each weekday. Automatically sign up today!
Subscribe to the Microsoft Weekly Newsletter
Be your company's Microsoft insider by reading these Windows and Office tips, tricks, and cheat sheets. Delivered Mondays and Wednesdays