ATI Driver Flaw Exposes Vista Kernel to Attackers 248
Shack0ption writes "An unpatched flaw in an ATI driver was at the center of the mysterious Purple Pill proof-of-concept tool that exposed a way to maliciously tamper with the Windows Vista kernel. The utility, released by Alex Ionescu and yanked an hour later after the kernel developer realized that the ATI driver flaw was not yet patched, provided an easy way to load unsigned drivers onto Vista — effectively defeating the new anti-rootkit/anti-DRM mechanism built into Microsoft's newest operating system. Ionescu confirmed his tool was exploiting a vulnerability in an ATI driver — atidsmxx.sys, version 3.0.502.0 — to patch the kernel to turn off certain checks for signed drivers. This meant that a malicious rootkit author could essentially piggyback on ATI's legitimately signed driver to tamper with the Vista kernel."
Bug or feature? (Score:2, Informative)
Re:Kernel Type (Score:5, Informative)
Re:Kernel Type (Score:5, Informative)
From the article:
Re:Let's blame Microsoft (Score:5, Informative)
From the article:
Re:Let's blame Microsoft (Score:3, Informative)
Verisign just signs the driver author's certificate, and even then just to say "these guys are who they say they are, and they're doing code signing with the key matching this certificate". They most certainly say nothing at all about the correctness of the drivers; that's up to the driver author (and maybe Microsoft too).
Re:Let's blame Microsoft (Score:3, Informative)
VeriSign can sign only SSL certs and certain less-well-known types of keys for you.
Re:Let's blame Microsoft (Score:3, Informative)
Re:Let's blame Microsoft (Score:1, Informative)
Or read this: http://www.microsoft.com/whdc/winlogo/drvsign/kms
You *can* buy a software publishing certificate from VeriSign and you *can* use it to sign a driver which you *can* load in Vista.
Partly correct (slightly OT) (Score:3, Informative)
Considering the lousy reviews, it seems that Windows Vista is indeed "just a hack" on top of XP.
But it is no longer correct that it is a hack based on DOS. Parallel to Windows 9x, Microsoft introduced the Windows NT line. Windows 2000, XP and Vista are based on that.
In a direct comparison of Windows 2000 to Windows 98 (yes I've used both), Windows 2000 is a lot more stable, especially when confronted with bad applications. It is not perfect but definitely good enough for desktop use.
I'm using XP only occasionally, but it seems OK as well.
Vista - cough - no thanks. The reviews and personal accounts I've read are reason enough not to even try it. And the quality is only half of it, the EULA is even more inacceptable. Even if I strongly suspect it would be unenforceable in my country, I'd rather avoid getting anywhere near it.
Re:My understanding was that video runs in ring 3 (Score:3, Informative)
Vista supports two display driver arrangements: XPDDM, the XP display driver model, which is compatible with XP drivers (with the display driver in kernel mode like NT4), and LDDM (Longhorn display driver model) which has moved the display driver back into user mode, hosted in dwm.exe with the new desktop window manager.
There is a private interface for the display driver in user mode to communicate with the miniport driver in kernel mode. This is presumably where the ATI driver flaw is: the miniport apparently has a function to let the display driver read and write to arbitrary memory locations. Note that the caller has to be privileged to even open the miniport device object for communication. The flaw here allows a privileged user to bypass driver signing requirements.
For example, with nVidia's drivers, the XPDDM version has nv4_mini.sys as the miniport, and nv4_disp.dll as the display driver (kernel mode). The LDDM version has nvlddmkm.sys as the miniport and nvd3dumx.dll as the display driver (user mode).
The miniport has always been in kernel mode because it has to talk to the hardware. The display driver has gone from user to kernel and back to user mode.
Linux also uses a split kernel mode / user mode driver (in the X server) model.