Vista Kernel Dogged by Bad Drivers

Opinion: Microsoft says its Windows Vista signed driver policy was never meant to be a security feature.

First there was Atsiv, the kernel driver that served as a welcome mat for unsigned and potentially malicious drivers to load into Vista and other Microsoft operating systems.

Then came the ATI driver that could allow arbitrary memory writes to the Vista kernel—a vulnerability that has been introduced to potentially millions of laptops, given that the driver is preinstalled along with Vista.

Now Symantecs Ollie Whitehouse is pointing out yet another driver vulnerability that actually predates those two: WinPcap, an open-source, packet-sniffing driver used by tools such as Wireshark.

WinPcap (Windows Packet Capture Library), which is used for link-layer network access in Windows environments, allows applications to capture and transmit network packets bypassing the protocol stack and provides kernel-level packet filtering, a network statistics engine and support for remote packet capture.

The developers of the widely used driver added support for Windows x64 in January, as its change log shows, "by digitally signing all the binaries of the WinPcap distribution." Then on July 3, they fixed a bug that involved a system call found on Unix-like systems that allows an application to control or communicate with a device driver outside the usual read/write of data. The bug caused a BSOD (blue screen of death) when passing invalid parameters from the user level.

In Windows NT, 2000, XP, 2003 and yes, Vista, a BSOD happens when the kernel or a driver running in kernel mode cant recover from an error.

As Whitehouse described it, the WinPcap vulnerability allows, yet again, arbitrary writing to kernel memory.

Its another example of a certificate Microsoft will have to consider pulling, Whitehouse said, and its another really good reason to stay on top of upgrades.

At this point, its clear that driver problems are going to occur frequently with Vista. As has been made evident by the Atsiv and ATI driver news and now by this WinPcap case, and as was made abundantly clear by kernel security expert Joanna Rutkowska at Black Hat earlier in August, theres no shortage of vulnerable drivers.

As Whitehouse pointed out when I talked to him Aug. 14, the ability to restrict loading of unsigned drivers into the Vista x64 kernel (its optional in 32-bit but restricted in x64) was supposed to be a good thing, "to stop malicious authors from creating malicious drivers" that they could then use to load rootkits into the Vista kernel, he said at the time.

Was the idea that Vista x64 is more secure due to its policy on unsigned drivers something we all made up?

"I believe driver signing was originally described as a security feature designed to stop the loading of arbitrary kernel drivers," Whitehouse said in an e-mail Aug. 15. "With the advent of kernel rootkits this was a common method they used to load themselves in the kernel and influence the operating system to hide themselves. KMCS (Kernel Mode Code Signing) should be seen as complementary to KPP (Kernel Patch Protection) in providing the first line of defense to stop from code being loaded. Obviously the discovery of vulnerabilities in legitimate drivers undermines this."

Fair enough. But if we go by an Aug. 3 posting on Microsofts Windows Vista Security blog and the companys subsequent response to driver issues, we must conclude, however, that we have been mistaken about driver signing being intended as a security feature.

Next Page: Give the Badly Bruised Vista Kernel a Break