Slashdot Mirror

← Back to Stories (view on slashdot.org)

ATI Driver Flaw Exposes Vista Kernel to Attackers

Posted by CowboyNeal on from the sneaking-in dept.

Shack0ption writes "An unpatched flaw in an ATI driver was at the center of the mysterious Purple Pill proof-of-concept tool that exposed a way to maliciously tamper with the Windows Vista kernel. The utility, released by Alex Ionescu and yanked an hour later after the kernel developer realized that the ATI driver flaw was not yet patched, provided an easy way to load unsigned drivers onto Vista — effectively defeating the new anti-rootkit/anti-DRM mechanism built into Microsoft's newest operating system. Ionescu confirmed his tool was exploiting a vulnerability in an ATI driver — atidsmxx.sys, version 3.0.502.0 — to patch the kernel to turn off certain checks for signed drivers. This meant that a malicious rootkit author could essentially piggyback on ATI's legitimately signed driver to tamper with the Vista kernel."

9 of 248 comments (clear)

  1. trusted computing by Anonymous Coward · · Score: 3, Insightful

    ok...
    so windows vista trusts ATI.
    ATI trusts themselves.
    I don't trust no one, especially closed-source drivers from ATI.

    shouldn't they simply replace their "fglrx" with "ati", in their xorg.conf?

  2. Ah, you kids have it easy... by Glowing+Fish · · Score: 4, Insightful

    The fact that people are actually going to the lengths of breaking into Windows by using a legitimate driver with kernel access to load in rootkits...the fact that it even requires explaining, means that Windows has reached some type of real security. I mean, with Windows 98, you would just hit enter on the login dialog box, and there you were!

    --
    Hopefully I didn't put any [] around my words.
  3. ATI will patch this by Dekortage · · Score: 4, Insightful

    Seems like the real concern is not that ATI's code opens a security hole. You know ATI will patch it. A more important question is, how many other securely-signed drivers, etc., have similar holes? How many drivers are there in a typical Windows Vista system, anyway?

    At least Microsoft can say (with some truth) that it's not THEIR software which introduces the problem! (it actually is, of course, but not directly)

    --
    $nice = $webHosting + $domainNames + $sslCerts
  4. Re:Bug or feature? by mugenjou · · Score: 3, Insightful

    I guess it's a feature to the bad guys. To everyone else, it's a bug. I guess it's a bug to Microsoft and the content industries. To everyone else, it's a feature.
    --
    DualBrain - Level Up Your Brain! - now available on your iPhone!
  5. Re:Let's blame Microsoft by morgan_greywolf · · Score: 5, Insightful

    (BTW--I've been using Linux as my primary OS since 1996, so no I'm not Linux bashing)

    Well, one thing to consider is this -- how different are other OSes like Linux? With Linux, a root exploit in a kernel module gains you access to the whole system as well, especially when you consider that it uses a monolithic kernel. IOW, kernel modules directly patch the Linux kernel, live, in memory. Now consider that the ATI drivers for Linux are based at least in part on the ATI drivers for Windows.

    Mind you that some things like SELinux might help to mitigate some of this in some scenarios, but not in all.

    --
    My blog
  6. It will not work. Ever. by Opportunist · · Score: 4, Insightful

    Actually I'm amazed it took almost a year. I would've betted my annual income that something like this would surface before May.

    Let's take a look at the inner workings of the system. Yes, MS has full access to the source code, so their drivers will probably not leak. They also have no "real" competition on the OS market (yes, there's Linux, there's MacOS, but what company would switch?). They can take their time to proof and perfect their drivers until you can be certain that they don't leak.

    Do third party vendors have the source? No. Do they have tight schedules and competition breathing down their neck? You bet. Will they prefer performance or security? Well, what of those two is tested on pages like THG?

    Worse yet, what if such a driver actually allows a user to "crack open" his system and use it as he pleases? Could you see people buy a cheap ATI card just for the purpose of disabling the DRM? I mean, there have been really, really crappy games for some consoles that sold surprisingly well, because they contained a bug that allowed disabling certain security measures. Save-game exploits were quite popular for a while.

    Could you see that this "security" bug could actually be a selling argument FOR the hardware rather than against it?

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  7. Re:Let's blame Microsoft by Tim+C · · Score: 5, Insightful

    Each of those probably stands a 50-50 chance of being either rooted or patched with the new key the first time it's connected to the 'net.

    It's a local exploit.

    did I mention that finding another bug in another driver signed with the new key will mean the whole process must be repeated?

    Third parties write crap, exploitable code and it's MS's fault? You can write exploitable kernel modules for Linux as well, yet somehow I don't think you'd be blaming that on Linus. If anything, this is an argument for open source drivers, not against MS's scheme - although how many people actually have the skill to audit the code they run, let alone auditing it?

    did I mention that if someone finds such a bug and sits on it, they have root to any Vista system in existence

    Every Vista install that uses the exploitable driver, you mean. Just as an exploitable driver for Linux would open every Linux install that uses that driver. For example, I have an NVidia card; as and when I upgrade to Vista, I won't be vulnerable to this particular exploit.

    Try to tone the hyperbole down a little, it's not very becoming.

    --
    It's official. Most of you are morons.
  8. Re:Let's blame Microsoft by mhall119 · · Score: 3, Insightful

    Malicious to whom? This systems seems designed more to prevent the installation of kernel-mode drivers that would allow the circumvention of things like DRM. I guess it could stop the installation of rootkits too, but there are other ways to stop them. It's funny (to me at least) that there are things that Windows can stop even an Administrator from doing on their own machine.

    --
    http://www.mhall119.com
  9. Re:Really cleaning up the Internet by Knight2K · · Score: 3, Insightful

    1. It is important to use the correct names for things. The word "terrorist" is subset of "criminal". My working definition of 'terrorist', which can doubtless be improved on, is: one who uses violence to create terror or panic within a populace in order to achieve political ends. Without the political component, a terrorist is simply a criminal guilty of assault, murder, theft, etc. and should be caught and prosecuted accordingly. By using this term incorrectly, you are just as guilty of spreading FUD as the U.S. government. While this may be an effective way to get attention, it is alarmist, unethical, and immoral.

    By expanding the meaning of the term, the government has been able to greatly expand its power at the expense of its citizens. It certainly is important to catch and prosecute cyber-criminals, but discuss it rationally and pass appropriate, targeted laws to deal with the problem. More importantly, enforce the ones that already exist.

    2. In most cases, a non-anonymous network would probably be fine, as long as encryption was used to keep data private. Unfortunately, we live in a world where, in some places, using encryption will get you tossed in jail, regardless of the content. In other words, it can be important to hide not only what you sent, but the fact that you sent it. A concrete example would be blogging in China. Given recent events with the NSA, I wouldn't be surprised if the U.S. government starts to take a more active role in discouraging personal strong encryption. How do we solve that problem?

    3. Guantanamo is one of the worst violations of human rights in recent history. Even the basest criminals are entitled to due process. That's what makes our system justice and not revenge. The United States is NOT the world police. There is a process to be followed to enforce change in other countries. The lack of serious international backing is part of our problem in Iraq. The U.S., despite being the last world superpower, does not have the resources to fight every battle and prosecute every crime that other countries won't deal with.

    You are right that we need effective computer crime laws and effective enforcement of them. The way to do it is to lobby other countries for this and establish treaties with them. Use diplomacy and sanctions where necessary. It isn't impossible; if we can get intellectual property laws perverted across the globe, surely we can expend the effort needed to reach cyber-criminals where ever they choose to hide.

    4. The government is supposed to work for us, but it needs watching. One of the most important lessons of modern history is that we have to be active and mistrustful of government, in order for it to function correctly. The Bay of Pigs was the first warning and the Watergate scandal made this manifest. The Iraq war, NSA wiretapping, and the PATRIOT Act are examples of what happens when we fail to perform our role of government watchdog. I'm not going to trust the government on who the bad guys are. I want the FBI, the CIA, Interpol, etc. to gather evidence and arrest criminals and bring them before the appropriate judicial authority and prove their case before the public.

    You are correct that this is a serious international problem and needs serious international intervention, but it also has to be done right.

    --
    ======
    In X-Windows the client serves YOU!