Buggy ATI Driver Leaves Vista Open to Attack

 
 
By Lisa Vaas  |  Posted 2007-08-14 Print this article Print
 
 
 
 
 
 
 

Microsoft and AMD are fixing a bug in an ATI driver that leaves the Vista kernel open to attack.

Microsoft is working with AMD to fix a bug in an ATI driver that ships preinstalled on millions of laptops and which leaves the Vista kernel open to arbitrary memory writes by malicious driver authors. Its not just ATI—virtualization security researcher Joanna Rutkowska said during her presentation at Black Hat earlier in August that ATI, which is owned by AMD, and Nvidia are just two examples of particularly badly written drivers, and that there could be tens of thousands of vulnerable drivers out there.
The bug in the ATI driver is that it allows arbitrary memory writes. Malicious driver authors can use that flaw to load unsigned drivers via the standard loading mechanism.
The problem of insecure drivers first came up when some authors at Linchpin Labs created a tool called Atsiv. Atsiv is a kernel driver that introduced the ability to load unsigned drivers onto Microsoft operating systems, including Vista. The authors claim it was born as a research project to examine the effects of enforced driver signing. "It was intended to increase public awareness that driver signing as currently implemented does not provide additional security," they said on their site. "A company was created and signing certificate acquired within a very short period of time at a low cost, which raises the question as to what driver signing actually represents." In fact, the authors went through the process of obtaining a signing key for both 32- and 64-bit versions of Vista. Its pretty easy—Rutkowska went through it herself, paying about $250 to Verisign for the registration. And with the ability to load arbitrary unsigned driver code came the ability to load rootkits into the Vista kernel. For the top Vista support issues, click here. As Symantec Research Scientist Ollie Whitehouse said, the ability to restrict loading of unsigned drivers into the Vista 64-bit kernel—its optional in 32-bit but restricted in 64-bit—was actually supposed to be a good thing. "One big selling point of Windows Vista was the ability to restrict loading of unsigned drivers into the kernel, to stop malicious authors from creating malicious drivers" that they could then use to load rootkits into the Vista kernel, Whitehouse said in an interview with eWEEK. Atsiv was a new driver and likely not used in many, if any, production environments. Thus it was an uncomplicated matter for Microsoft, of Redmond, Wash., to ask Verisign to revoke the drivers signing certificate. "Then," Whitehouse said, "came Black Hat." Research came out from Rutkowska and Alex Ionescu focused on going through the process of obtaining a signing key and looking for vulnerabilities in drivers that ship by default with Vista. One was the ATI bug, which Ionsecu packaged into a tool called Purple Pill. In Purple Pill was embedded an ATI-signed driver that could be dropped to disk and loaded, similar to how Atsiv worked. The bug means that someone with administrative privileges on a 64-bit Vista machine can exploit this vulnerability to disable signing checks for driver loading, and thus can load arbitrary code onto the machine. Ionescu quickly pulled Purple Pill—which had very briefly been posted to an entry on his blog, after realizing that Microsoft hadnt yet patched the problem. Purple Pill was reportedly downloaded some 39 times before getting pulled. Why cant Microsoft just get Verisign to pull the ATI drivers signing certificate? Because there would be an ocean of stranded users, given its widespread install base. "ATI hardware is very common," Whitehouse said. "The driver is used extensively in laptops around the globe." Microsoft has thus been presented with an interesting challenge, Whitehouse said: It could just revoke the key, but it would disable potentially millions of desktops around the globe. "Its slowing down response time," he said. Neither AMD nor Nvidia, in Santa Clara, Calif., had responded to queries by the time this story posted, but AMD has confirmed to other publications that its working on the problem and expected a fix out by Aug. 13. As quoted from security blogger Ryan Naraine at ZDNet, this statement from AMD, in Sunnyvale, Calif.: "The market recently discovered a potential security vulnerability that could impact AMDs Catalyst software package. After immediate investigation, AMD determined that a small section of code in one of the files of our installer package file is potentially vulnerable. The AMD plan is to provide a new ATI Catalyst package no later than Monday, Aug. 13, 2007, that resolves this vulnerability. We strongly recommend that desktop ATI Radeon graphics users update to Catalyst version 7.8 once it is available on http://ati.amd.com/support/driver.html. AMD and Microsoft are also investigating additional distribution channels for this update. This vulnerability was not exclusive to AMD." Click here to read more about a Vista Capable lawsuit. Its possible that Microsoft will address the issue in Aug. 14s Patch Tuesday security bulletins. Whitehouse expected Microsoft to work with ATI to develop a fixed version of the driver, get it signed with a new signing certificate, get it deployed with the Windows update, and only then, once its been installed on desktops, will it revoke its certificate. Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.
 
 
 
 
Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel