Buggy ATI Driver Leaves Vista Open to Attack

Microsoft and AMD are fixing a bug in an ATI driver that leaves the Vista kernel open to attack.

Microsoft is working with AMD to fix a bug in an ATI driver that ships preinstalled on millions of laptops and which leaves the Vista kernel open to arbitrary memory writes by malicious driver authors.

Its not just ATI—virtualization security researcher Joanna Rutkowska said during her presentation at Black Hat earlier in August that ATI, which is owned by AMD, and Nvidia are just two examples of particularly badly written drivers, and that there could be tens of thousands of vulnerable drivers out there.

The bug in the ATI driver is that it allows arbitrary memory writes. Malicious driver authors can use that flaw to load unsigned drivers via the standard loading mechanism.

The problem of insecure drivers first came up when some authors at Linchpin Labs created a tool called Atsiv. Atsiv is a kernel driver that introduced the ability to load unsigned drivers onto Microsoft operating systems, including Vista. The authors claim it was born as a research project to examine the effects of enforced driver signing.

"It was intended to increase public awareness that driver signing as currently implemented does not provide additional security," they said on their site. "A company was created and signing certificate acquired within a very short period of time at a low cost, which raises the question as to what driver signing actually represents."

In fact, the authors went through the process of obtaining a signing key for both 32- and 64-bit versions of Vista. Its pretty easy—Rutkowska went through it herself, paying about $250 to Verisign for the registration. And with the ability to load arbitrary unsigned driver code came the ability to load rootkits into the Vista kernel.


For the top Vista support issues, click here.

As Symantec Research Scientist Ollie Whitehouse said, the ability to restrict loading of unsigned drivers into the Vista 64-bit kernel—its optional in 32-bit but restricted in 64-bit—was actually supposed to be a good thing.

"One big selling point of Windows Vista was the ability to restrict loading of unsigned drivers into the kernel, to stop malicious authors from creating malicious drivers" that they could then use to load rootkits into the Vista kernel, Whitehouse said in an interview with eWEEK.

Atsiv was a new driver and likely not used in many, if any, production environments. Thus it was an uncomplicated matter for Microsoft, of Redmond, Wash., to ask Verisign to revoke the drivers signing certificate.

"Then," Whitehouse said, "came Black Hat."

Research came out from Rutkowska and Alex Ionescu focused on going through the process of obtaining a signing key and looking for vulnerabilities in drivers that ship by default with Vista. One was the ATI bug, which Ionsecu packaged into a tool called Purple Pill. In Purple Pill was embedded an ATI-signed driver that could be dropped to disk and loaded, similar to how Atsiv worked.

The bug means that someone with administrative privileges on a 64-bit Vista machine can exploit this vulnerability to disable signing checks for driver loading, and thus can load arbitrary code onto the machine.

Ionescu quickly pulled Purple Pill—which had very briefly been posted to an entry on his blog, after realizing that Microsoft hadnt yet patched the problem. Purple Pill was reportedly downloaded some 39 times before getting pulled.

Why cant Microsoft just get Verisign to pull the ATI drivers signing certificate? Because there would be an ocean of stranded users, given its widespread install base.

"ATI hardware is very common," Whitehouse said. "The driver is used extensively in laptops around the globe."

Microsoft has thus been presented with an interesting challenge, Whitehouse said: It could just revoke the key, but it would disable potentially millions of desktops around the globe. "Its slowing down response time," he said.

Neither AMD nor Nvidia, in Santa Clara, Calif., had responded to queries by the time this story posted, but AMD has confirmed to other publications that its working on the problem and expected a fix out by Aug. 13. As quoted from security blogger Ryan Naraine at ZDNet, this statement from AMD, in Sunnyvale, Calif.:

"The market recently discovered a potential security vulnerability that could impact AMDs Catalyst software package. After immediate investigation, AMD determined that a small section of code in one of the files of our installer package file is potentially vulnerable. The AMD plan is to provide a new ATI Catalyst package no later than Monday, Aug. 13, 2007, that resolves this vulnerability. We strongly recommend that desktop ATI Radeon graphics users update to Catalyst version 7.8 once it is available on http://ati.amd.com/support/driver.html. AMD and Microsoft are also investigating additional distribution channels for this update. This vulnerability was not exclusive to AMD."


Click here to read more about a Vista Capable lawsuit.

Its possible that Microsoft will address the issue in Aug. 14s Patch Tuesday security bulletins. Whitehouse expected Microsoft to work with ATI to develop a fixed version of the driver, get it signed with a new signing certificate, get it deployed with the Windows update, and only then, once its been installed on desktops, will it revoke its certificate.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.