AMD has released a patch for its ATI Catalyst drivers to remove the possibility of them being used as an attack vector to circumvent the improved security defenses of Vista..

The ATI driver flaw was highlighted by Joanna Rutkowska, security researcher and founder of Invisible Things Lab, at the Black Hat conference early this month as an illustration of why the Vista kernel protection doesn’t work.

The flaw was later exploited by a proof-of-concept-tool, Purple Pill, released by security researcher Alex Ionescu, that patches the Vista kernel to turn off certain checks for signed drivers, which means any malicious rootkit author could piggyback on ATI’s legitimately signed driver to tamper with the Vista kernel.

ATI has confirmed the bug, which affects the AMD Catalyst software package and strongly urged users to download the patch, Catalyst version 7.8.

While the bug has been patched, it doesn’t mean that Vista is really secure OS. Considering that there are several hundreds of third-party drivers that are poorly written, the same problem could occur again and again.

In addition, an attacker could make their own malicious driver, get the driver certified to use for an attack.

And because Microsoft has no way of knowing in advance whether a driver has a bug, or has been made explicitly for the purpose of corrupting the Vista kernel, the company needs to come up with a plan on how it can protect its Vista kernel better.

---

Related:

Microsoft tightens Vista kernel defenses, updates PatchGuard

Microsoft officially releases Vista patches, no word yet on SP1

Microsoft’s Vista PatchGuard updates not connected to kernel hacks

Windows XP SP3 invades torrent channels for those not keen on Vista SP1

Microsoft releases latest Vista update for iPods

Entry was posted on Monday, August 13th, 2007 at 6:56 pm under Security, Vista.  Print This Post

Read more entries by Ruben Francia.