AMD/ATI Video Drivers: Unsafe At Any Speed

An anonymous reader writes "CERT/CC has called out AMD for having insecure video drivers. AMD/ATI video drivers are incompatible with system-wide ASLR. 'Always On' DEP combined with 'Always On' ASLR are effective exploit mitigations. However, most people don't know about 'Always On' ASLR since Microsoft had to hide it from EMET with an 'EnableUnsafeSettings' registry key — because AMD/ATI video drivers will cause a BSOD on boot if 'Always On' ASLR is enabled."

Sensationalism at its best!

[Zephiris]

EMET is a tool Microsoft releases to enable specific settings, then they hide stuff like the "AlwaysOn" behind a registry setting they term unsafe.

Nowhere does it on any of the linked Microsoft pages say that this "unsafe" is hidden because of AMD, unlike what the article boldly suggests. Microsoft would be unlikely to grant WHQL status to drivers violating something it actually wants on by default.
Nobody gets the EMET settings "by default". You have to download and run it, many options you have to enable per-program, and many programs don't work with it.
The article they link to says Skype, Microsoft's own Silverlight, and World of Warcraft all don't work with the EAF option (everything is enabled by default for a program you select).
Nobody is getting, or would get, any of these protections "by default". So saying that AMD drivers "are making your computer less secure" is ridiculous, given that even if it's still an issue (the only linked mention hasn't been updated in over a year), it's limiting the maximum POSSIBLE security, which you would have to enable and run yourself...turn on settings that Microsoft deems unsafe, and knowingly risk making your machine unbootable. All for having ALSR "potentially" work for binaries that don't deem themselves compatible? Great...

Microsoft's own documentation says that all binaries can opt-in to ALSR (same as they have to opt in to DEP by default), but it has nothing to do with system drivers. Out of all of the processes running on my system, only two (an IM client, and a mouse hook service) don't have ALSR. These days, on VS2010, binaries are compiled with the ALSR and DEP flags set by default. You have to specifically opt out.

EMET's own user manual says that it uses a different, conflicting ALSR implementation than what the system natively does...might explain why fewer things are compatible with it.

TLDR: There is no evidence whatsoever that AMD drivers would make your system "actually less secure". There's one note that it "could" make your system less secure, if Microsoft were pushing a security option that it doesn't support.

People should focus on actual issues, instead of inventing imaginary ones just to try to make themselves more relevant and "in the news". I'm disgusted by CERT's behavior. I would've thought they'd at least stick to the actual facts of the case, instead of acting like the dime-a-dozen "don't need no fact checking" bloggers.

Disclaimer: I currently have an AMD card, have used both Nvidia and AMD cards since the late 90s with varying success.