UPDATE: ATI driver flaw exposes Vista kernel to attackers

UPDATE: ATI driver flaw exposes Vista kernel to attackers

Summary: An unpatched flaw in an ATI driver was at the center of the mysterious Purple Pill proof-of-concept tool that exposed a way to maliciously tamper with the Windows Vista kernel.

SHARE:
TOPICS: Windows, Microsoft
56

(See update below for official response from ATI)

An unpatched flaw in an ATI driver was at the center of the mysterious Purple Pill proof-of-concept tool that exposed a way to maliciously tamper with the Windows Vista kernel.

Purple Pill, a utility released by Alex Ionescu and yanked an hour later after the kernel developer realized that the ATI driver flaw was not yet patched, provided an easy way to load unsigned drivers onto Vista -- effectively defeating the new anti-rootkit/anti-DRM mechanism built into Microsoft's newest operating system.

signed_ati_driver.png

In an interview, Ionescu confirmed his tool was exploiting a vulnerability in an ATI driver -- atidsmxx.sys, version 3.0.502.0 -- to patch the kernel to turn off certain checks for signed drivers. This meant that a malicious rootkit author could essentially piggyback on ATI's legitimately signed driver to tamper with the Vista kernel.

[ SEE: Vista kernel tampering tool released, then mysteriously disappears ]

"I didn't know the [ATI] driver wasn't patched," Ionescu explained. He said he found out about the flaw from Joanna Rutkowska's Black Hat presentation (see .ppt file) and assumed it was something that was already fixed. "I wanted to be responsible about releasing the tool so I pulled it," Ionescu said, dismissing talk that he was pressured by Microsoft or Apple (where he is interning for the summer).

Ionescu said he discussed the issue with Microsoft and will likely re-release the tool after a patch is released.

A spokesman for Microsoft said the company is aware that an ATI driver might be "potentially vulnerable."

"Microsoft is in contact with ATI to help address this issue and once fixed we will assist in getting it to our customers," he said. "To the best of our knowledge, Purple Pill was a proof of concept demonstration tool that was available for a very limited time and is no longer available."

Ionescu said the tool was available for about 78 minutes and was downloaded 39 times.

[ SEE: Hardware-based rootkit detection proven unreliable ]

Among those downloaders were folks at Symantec. Eric Chien, a senior manager on Symantec's security response team, said his team looked at the Purple Pill code and was able to pinpoint the ATI driver as the culprit.

"Basically, that ATI driver has functionality that allows you to read and write kernel memory. It's either a bug or a feature of the driver. We're not sure why they're using it but because it's both signed and allowed to read/write kernel memory, any third party can use that driver to do the same thing," Chien explained in a telephone interview.

Symantec has deemed Purple Pill a hacking tool that can be used for malicious purposes and has shipped a definition update for its anti-malware products.

A spokesman for ATI said the company is investigating. (See update below)

It is likely that Microsoft will use its automatic update mechanism in Vista to ship a patch for this buggy driver. The company cannot revoke the certificate for the driver because, as Ionescu explained, it's already embedded in about 50% of all Vista laptops -- and any revocation will affect those machines.

Even after this is fixed, Ionescu said this episode points to a bigger issue of risks introduced by buggy third-party drivers.

"This is not a problem that will go away soon. As Joanna has already shown, anyone can get a driver signed. Now we know that even signed drivers have bugs that open up new ways to load something unsigned into the kernel," he said.

Ionescu suggested deeper collaboration between Microsoft and third party driver makers to improve the quality of code loading onto Vista. "Maybe they can do some code reviewing or require tests on drivers before they are signed. Something will have to be done because this is not only an ATI problem."

 [UPDATE: August 11, 2007 @ 11:20 AM] ATI has confirmed the bug, which affects the AMD Catalyst software package. Here's a statement from AMD spokesman Jon Carvill:

“The market recently discovered a potential security vulnerability that could impact AMD’s Catalyst software package. After immediate investigation, AMD determined that a small section of code in one the files of our installer package file is potentially vulnerable. The AMD plan is to provide a new ATI Catalyst package no later than Monday, Aug. 13, 2007, that resolves this vulnerability.  We strongly recommend that desktop ATI Radeon graphics users update to Catalyst version 7.8 once it is available on http://ati.amd.com/support/driver.html.  AMD and Microsoft are also investigating additional distribution channels for this update. This vulnerability was not exclusive to AMD.”

In all likelihood, Microsoft will push this down to Windows Vista users on Patch Tuesday (August 14th) via the automatic update mechanism.

Topics: Windows, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

56 comments
Log in or register to join the discussion
  • Just over 6 months....

    ... to blast a *major* hole into Uncle Bill's "most secure operating system ever". It is a good hole too. Find a buggy driver - or write your own - and Vista's kernel is your oyster.
    bportlock
    • Mmm ....

      I don't think this actually point to a problem with Vista. At some point, these drivers will need to access the kernel. The problem seems to be Microsoft's process for handing out their certifications; sounds to me as if it needs tightening up.
      fredsmith6
      • I agree

        [i]"The problem seems to be Microsoft's process for handing out their certifications; "[/i]

        I didn't say it was Vista's problem, but I was enjoying the irony of Bill Gate's famous speech that was supposed to have us all galloping toward Vista for the sake of a more secure world.

        At the end of the day, it will make little difference to users whether Vista is the problem or not. Users only see the problem.
        bportlock
        • Indeed.

          Well, there is nothing here that says Vista is insecure, so his statement still stands.

          ATI asked permission to access the kernel
          MS said yes.
          ATI stuffed it up. And worse, didn't do anything about it when the problem was discovered.

          But if MS is going to hand out certificates to everybody, then what is the point? Folk will be in exactly the same position as before; with folk who have no business in the kernel, being given access to it.
          fredsmith6
      • MS is too tight already, time to sign off

        Good God man, what are you thinking, you have the idea everyone out there is going to come running to MS with a suitcase full of cash begging MS to certify their software, hardware or drivers ? Have another toke and chalk your vision up to the opium pipe as this is not going to happen. Just because MS has a lot of fools supporting their products because MS's marketing team has lied continuously, doesn't mean every person out there is gullible or an idiot waiting for MS to slide down their chimney with a gift certificate. If you want MS to tighten up, better tell them how and where as they've already been there and past the point of caring about how anyone feels about it.
        intrepi
  • Good Job ATI

    Way to punch a hole into Microsoft's rock solid operating system.

    AMD has been on such a roll lately.
    nucrash
  • rock solid??

    you are joking right?

    at any rate these kind of bugs and flaws are supposed to be caught by the whole WHQL deal, but imagine that, they are not. There are several headaches fro driver writers:
    1) OS interface complexity: seems both ATI and nVidia are both having issues getting their drivers in order for Vista (but XP/2000 are just fine) makes you go hmm...

    2) before Vista was released, one of the highly touted features of it was that the graphics engine was supposed to be run in user space... so why did ATI need kernel write access to make their GPU's work? it should be that they send commands and data over the PCI-E or AGP buses, not needing to play with the kernel... smells bad for Vista....

    the best Vista can give people at this point is a very false sense of security....
    kRogue
    • You're right - lots of buggy drivers on Vista

      Although Microsoft must certify device drivers, lots of buggy drivers are getting through the process. The best Vista drivers from ATI and nVidia are buggy as are network interface drivers, and who knows what else.

      http://arstechnica.com/news.ars/post/20070206-8784.html
      http://blogs.zdnet.com/Ou/?p=663

      Same kind of thing happened when Windows 2000 came out - of course in those days Microsoft didn't have to certify the drivers. I am guessing that Microsoft is putting the highest priority on DRM compliance of drivers.

      I'm not entirely surprised though, how many people at Microsoft are actually qualified to fully test and understand the inner workings of a submitted driver? Six or ten maybe? These bugs may take much longer to work out that we user would like them too.
      WiredGuy
      • so this is just par for the course for MS?

        "Same kind of thing happened when Windows 2000 came out"
        jjarman
      • Microsoft did certify drivers for Windows 2000.

        WHQL testing is an automated test script. The number of people at Microsoft that are fully qualified to test and debug drivers is in the thousands. Where do you guys come up with this stuff, anyway?
        ShadeTree
    • Way off base.

      The errata for Nvidia and ATI on XP is just as long as it is on Vista. Security flaws has never been a focus of WHQL. Your assumptions and conclusion are all wet!
      ShadeTree
      • How about you dry them out and enlighten us

        I'd really like to read your take on ATI, XP, Vista and why you feel his assumptions are all wet. No point in talking the talk without walking the walk as it has no meat to put any stock in your jib or gibberish.
        intrepi
  • needless to say....

    The solution is switching to Linux, rock solid with safe drivers.
    Linux Geek
    • Trouble is...

      On my laptop, I have an ATI card that does not work with the FOSS ATI drivers, so I am reduced to using the ATI official drivers. A number of vulnerabilities have been found in closed drivers and the vendors are not always too bothered to fix them with any speed.

      I'd have prefered an NVIDIA card, but their drivers have suffered from the same problems in the past.
      Azriphale
    • Linux drivers....

      Linux drivers are completely safe because there are only a handful that actually work. I keed, I keed!!!
      hoos30
  • Yea, this is a big one. A < clm_ tmp> data retrieval corked me into .......

    Bad situation to get into; if I only had them there hand me down action software reporters and a cool million, here. Upgrade to an R430 Ati Technologies with I believe the 6.14v driver cabinet. All of that 3.14v stuff is kind of out there losely.

    Right now I've disabled my 6800GS which locks out the control panel features for the R200; and use driver 5.13v \ WINFox 20_1.3 for my online internet experience.

    Total recovery on my machine, Thank you SERVICE COMPUTER.
    (cost for new purchase - $600 Firm-Gear; accually has an identification.? (Builder)--r.t.
    RobeTirm
    • WTF...

      ... are you on about???
      bportlock
    • Gibberish Rant?

      No clue what your going on about!
      Jaytmoon
    • What are you smokeing dude :S (NT)

      (NT)
      SO.CAL Guy
    • Why does this sound like...

      ... a Google or Babelfish translation of a comment from another language to English?
      brendthess