VISTA.BLORGE
TECH.BLORGE.com
MAC.BLORGE.com
GAMER.BLORGE.com

August 11, 2007 |

Purple Pill beats Windows Vista’s 64-bit driver authentication

By Ruben Francia





Purple pill beats Windows Vista’s 64-bit driver authenticationPurple Pill, a utility software that can by-pass the new anti-rootkit/anti-DRM defense mechanism built into the 64-bit Vista kernel, has been released, downloaded 39 times and then removed more than an hour later.

Alex Lonescu has confirmed reports that his utility software was exploiting the earlier reported ATI driver flaw to patch Vista kernel to turn off certain checks for signed drivers which means any malicious rootkit authors could piggyback on ATI’s legitimately signed driver to tamper with the Vista kernel.

Ionescu pulled the utility after realizing that the ATI driver vulnerability, which Purple Pill used as a proof of concept, is yet to be patched.

A spokesman for Microsoft disclosed that the company is working with ATI on the driver flaw issue and once fixed the company will assist in getting the fix delivered to its OS users.

“To the best of our knowledge, Purple Pill was a proof of concept demonstration tool that was available for a very limited time and is no longer available,” the spokesman said.

Since Purple Pill piggybacks on a security certificate for a hardware driver that’s installed in 50 per cent of laptops, it cannot be addressed as easily as the of Atsiv exploit, where Microsoft simply revoked LinchpinLabs’ certificate on Atsiv and issued a signature for Windows Defender categorizing Atsiv as malicious.

Ollie Whitehouse, a security researcher at Symantec told The Register that “What ATI is probably going to have to do is get a new certificate, sign fixed versions of all their affected drivers, and release them via Windows Update. Only then can Microsoft get VeriSign to revoke the signing certificate.”

Sign up for the BLORGE email newsletter

Related:

  • AMD releases ATI Vista driver patch
  • Microsoft tightens Vista kernel defenses, updates PatchGuard
  • Microsoft issues wireless network Vista fixes
  • Faulty drivers bypass Vista’s kernel protection
  • Adobe updates PostScript driver for Vista


    • Entry was posted on Saturday, August 11th, 2007 at 4:49 pm under Security, Vista, Windows Defender. Print This Post Print This Post

    Read more entries by Ruben Francia.



    2 Responses to “Purple Pill beats Windows Vista’s 64-bit driver authentication”

    1. AMD releases ATI Vista driver patch - VISTA.BLORGE.com:
      August 13th, 2007

      […] Purple Pill beats Windows Vista’s 64-bit driver authentication […]

    2. Microsoft tightens Vista kernel defenses, updates PatchGuard - VISTA.BLORGE.com:
      August 15th, 2007

      […] utility software, Purple Pill, that can by-pass the new anti-rootkit/anti-DRM defense mechanism built into the 64-bit Vista […]

    Leave a Reply:

    Copyright © 2007 Engaging and compelling blogs that entertain and inform