VISTA.BLORGE
TECH.BLORGE.com
MAC.BLORGE.com
GAMER.BLORGE.com

August 2, 2007 |

Faulty drivers bypass Vista’s kernel protection

By Jonathan Schlaffer





Microsoft gets nVidia's SLi and ATi's Crossfire working in VistaAs if this should come as any surprise, Vista has yet another security problem, one that can bypass the very system that was designed to prevent this in the first place.  All the blame can’t be placed on Microsoft, at least some of this lies with the manufacturers that provide drivers that don’t perform the proper checks in the first place.  Security researcher, Joanna Rutkowska has found faults in both ATi and nVidia drivers under Vista.

It would be impossible for Microsoft to predict every possible interaction of every driver from every manufacturer on its operating systems.  However, the common ones such as those provided by ATi and nVidia should be checked because they are two of the largest manufacturers of discrete graphics solutions.

She found that both the ATi Catalyst driver and nVidia’s nTune software can be used to write arbitrary registry values without performing the proper checks and “could be used as an attack vector to circumvent Vista kernel protection.”  Rutkowska continued with, “The whole problem in NVIDIA is that the driver doesn’t do the proper checks and can do a write for an arbitrary registry.”

But the problem doesn’t end there.  Further investigation discovered that the computer doesn’t even need the bad driver installed for it to be used as a method of attack.  “The attacker could just include it as part of their own rootkit and then use it to exploit Vista,” she said.

Her point was that the driver could be posted on any website and used to build a rootkit and it would not be possible to claim that it was intentionally done because a $250 driver signing certificate was easy enough to get from a Microsoft partner site.

All this implies that the user would first have to download the file in the first place from a third party and not directly from nVidia or ATi.  The thought of someone doing that almost sickens me but I know people do it and I’d advise them not to do so.  That doesn’t negate the fact that this problem exists but in order to fall victim to it, you yourself have to download an infected file.

Besides, the Catalyst software and nVidia’s drivers are fairly resource heavy and on my systems, I have everything but the basic driver support disabled.  It’s a good idea you do the same, for security’s sake and because it will improve your startup times.

Sign up for the BLORGE email newsletter

Related:

  • Microsoft blocks Vista kernel hacking tool
  • Microsoft tightens Vista kernel defenses, updates PatchGuard
  • AMD releases ATI Vista driver patch
  • Microsoft’s Vista PatchGuard updates not connected to kernel hacks
  • Free utility tool circumvents Vista kernel defenses


    • Entry was posted on Thursday, August 2nd, 2007 at 8:17 am under Microsoft, Security, Vista. Print This Post Print This Post

    Read more entries by Jonathan Schlaffer.



    2 Responses to “Faulty drivers bypass Vista’s kernel protection”

    1. Ruben:
      August 2nd, 2007

      The security defenses put in place by Microsoft to protect its Windows Vista kernel is only for non-digitally-signed code. Drivers from ATi and nVidia since they are digitally-signed, even if they contain with bugs are acceptable to Vista kernel. In addition, digitally signed drivers, without any bugs, which are made on purpose to install non-digitally-signed code can harm Vista kernel

    2. Microsoft blocks Vista kernel hacking tool - VISTA.BLORGE.com:
      August 4th, 2007

      [...] Faulty drivers bypass Vista’s kernel protection [...]

    Leave a Reply:

    Copyright © 2007 Engaging and compelling blogs that entertain and inform