ATI Driver Flaw Exposes Vista Kernel to Attackers 248
Shack0ption writes "An unpatched flaw in an ATI driver was at the center of the mysterious Purple Pill proof-of-concept tool that exposed a way to maliciously tamper with the Windows Vista kernel. The utility, released by Alex Ionescu and yanked an hour later after the kernel developer realized that the ATI driver flaw was not yet patched, provided an easy way to load unsigned drivers onto Vista — effectively defeating the new anti-rootkit/anti-DRM mechanism built into Microsoft's newest operating system. Ionescu confirmed his tool was exploiting a vulnerability in an ATI driver — atidsmxx.sys, version 3.0.502.0 — to patch the kernel to turn off certain checks for signed drivers. This meant that a malicious rootkit author could essentially piggyback on ATI's legitimately signed driver to tamper with the Vista kernel."
trusted computing (Score:3, Insightful)
so windows vista trusts ATI.
ATI trusts themselves.
I don't trust no one, especially closed-source drivers from ATI.
shouldn't they simply replace their "fglrx" with "ati", in their xorg.conf?
Ah, you kids have it easy... (Score:5, Insightful)
Re:Let's blame Microsoft (Score:2, Insightful)
What are Microsoft going to do now? Revoke the key they used to sign drivers with? How many copies of Vista wich verify drivers with the now-revoked pubkey have already been sold? How many devices were sold in retail with drivers which will no longer JustWork(tm)? Will Microsoft and the OEMs have the resources to re-certify each of those, or will they sign blindly?
Each of those probably stands a 50-50 chance of being either rooted or patched with the new key the first time it's connected to the 'net. How's that for convenience?
Oh, did I mention that finding another bug in another driver signed with the new key will mean the whole process must be repeated?
Oh and did I mention that if someone finds such a bug and sits on it, they have root to any Vista system in existence, until the bug is found and fixed (which may be never)?
ATI will patch this (Score:5, Insightful)
Seems like the real concern is not that ATI's code opens a security hole. You know ATI will patch it. A more important question is, how many other securely-signed drivers, etc., have similar holes? How many drivers are there in a typical Windows Vista system, anyway?
At least Microsoft can say (with some truth) that it's not THEIR software which introduces the problem! (it actually is, of course, but not directly)
Re:Bug or feature? (Score:3, Insightful)
Re:Open Source drivers (Score:1, Insightful)
Re:Kernel Type (Score:3, Insightful)
Re:So I read it right? (Score:2, Insightful)
Linux does NOT stand for free software. It happens to have a (now old and relatively flawed) free software license. The main direction for Linux comes from a guy who likes Tivoisation (ie, DRM), and is of the opinion that politics like Freedom issues don't matter; he just wants to create tools.
If you want a Free Software kernel, that guarantees you'll still be able to use it at version 11.6, you'll need to look further afield.
You could argue that kernels don't matter much anyway, as long as they're posix, and that's true, to an extent, but most desktops are now embracing HAL, etc., which are linux-specific.
Re:Bug or feature? (Score:3, Insightful)
Re:Let's blame Microsoft (Score:5, Insightful)
Well, one thing to consider is this -- how different are other OSes like Linux? With Linux, a root exploit in a kernel module gains you access to the whole system as well, especially when you consider that it uses a monolithic kernel. IOW, kernel modules directly patch the Linux kernel, live, in memory. Now consider that the ATI drivers for Linux are based at least in part on the ATI drivers for Windows.
Mind you that some things like SELinux might help to mitigate some of this in some scenarios, but not in all.
It will not work. Ever. (Score:5, Insightful)
Let's take a look at the inner workings of the system. Yes, MS has full access to the source code, so their drivers will probably not leak. They also have no "real" competition on the OS market (yes, there's Linux, there's MacOS, but what company would switch?). They can take their time to proof and perfect their drivers until you can be certain that they don't leak.
Do third party vendors have the source? No. Do they have tight schedules and competition breathing down their neck? You bet. Will they prefer performance or security? Well, what of those two is tested on pages like THG?
Worse yet, what if such a driver actually allows a user to "crack open" his system and use it as he pleases? Could you see people buy a cheap ATI card just for the purpose of disabling the DRM? I mean, there have been really, really crappy games for some consoles that sold surprisingly well, because they contained a bug that allowed disabling certain security measures. Save-game exploits were quite popular for a while.
Could you see that this "security" bug could actually be a selling argument FOR the hardware rather than against it?
Re:Let's blame Microsoft (Score:5, Insightful)
It's a local exploit.
did I mention that finding another bug in another driver signed with the new key will mean the whole process must be repeated?
Third parties write crap, exploitable code and it's MS's fault? You can write exploitable kernel modules for Linux as well, yet somehow I don't think you'd be blaming that on Linus. If anything, this is an argument for open source drivers, not against MS's scheme - although how many people actually have the skill to audit the code they run, let alone auditing it?
did I mention that if someone finds such a bug and sits on it, they have root to any Vista system in existence
Every Vista install that uses the exploitable driver, you mean. Just as an exploitable driver for Linux would open every Linux install that uses that driver. For example, I have an NVidia card; as and when I upgrade to Vista, I won't be vulnerable to this particular exploit.
Try to tone the hyperbole down a little, it's not very becoming.
Re:Let's blame Microsoft (Score:3, Insightful)
It is impossible to prove that any piece of software is 100% bug free. Impossible. Regardless of your operating system, if you trust kernel-level drivers (you actually want to *do* something useful with your system?), chances are that somewhere there is an exploitable flaw. It's just that no-one may have found it yet. There is no such thing as a 100% secure system.
Re:Let's blame Microsoft (Score:4, Insightful)
Re:Really cleaning up the Internet (Score:4, Insightful)
By expanding the meaning of the term, the government has been able to greatly expand its power at the expense of its citizens. It certainly is important to catch and prosecute cyber-criminals, but discuss it rationally and pass appropriate, targeted laws to deal with the problem. More importantly, enforce the ones that already exist.
2. In most cases, a non-anonymous network would probably be fine, as long as encryption was used to keep data private. Unfortunately, we live in a world where, in some places, using encryption will get you tossed in jail, regardless of the content. In other words, it can be important to hide not only what you sent, but the fact that you sent it. A concrete example would be blogging in China. Given recent events with the NSA, I wouldn't be surprised if the U.S. government starts to take a more active role in discouraging personal strong encryption. How do we solve that problem?
3. Guantanamo is one of the worst violations of human rights in recent history. Even the basest criminals are entitled to due process. That's what makes our system justice and not revenge. The United States is NOT the world police. There is a process to be followed to enforce change in other countries. The lack of serious international backing is part of our problem in Iraq. The U.S., despite being the last world superpower, does not have the resources to fight every battle and prosecute every crime that other countries won't deal with.
You are right that we need effective computer crime laws and effective enforcement of them. The way to do it is to lobby other countries for this and establish treaties with them. Use diplomacy and sanctions where necessary. It isn't impossible; if we can get intellectual property laws perverted across the globe, surely we can expend the effort needed to reach cyber-criminals where ever they choose to hide.
4. The government is supposed to work for us, but it needs watching. One of the most important lessons of modern history is that we have to be active and mistrustful of government, in order for it to function correctly. The Bay of Pigs was the first warning and the Watergate scandal made this manifest. The Iraq war, NSA wiretapping, and the PATRIOT Act are examples of what happens when we fail to perform our role of government watchdog. I'm not going to trust the government on who the bad guys are. I want the FBI, the CIA, Interpol, etc. to gather evidence and arrest criminals and bring them before the appropriate judicial authority and prove their case before the public.
You are correct that this is a serious international problem and needs serious international intervention, but it also has to be done right.
Re:Let's blame Microsoft (Score:2, Insightful)
Re:That's why microkernels are useful (Score:3, Insightful)
Absolutely correct and imho correct for all types of kernels. As long as hardware uses system memory to function, and the location of memory is not properly restricted, this problem will persist. Drivers openly developed could easily be developed to restrict specific device types to specific memory areas.
Re:What a bunch of malarky (Score:3, Insightful)
In a way, is there any point in ranking these things? They are each violations of human rights; some are certainly more horrific than others, but a violation is a violation just the same.
I debated adding illegality as a criteria for terrorism, but assumed it was implied. I wouldn't mind amending my definition. I agree with you that lawful force can be necessary, but the keyword is 'lawful'. International laws are laws as well and need to be respected until they can be changed to address the situation. We have standards for when invading other countries is allowed; we can't just choose to enforce our laws on other people's sovereign territory without getting a legal mandate to do so. If you argued that the U.N. is not up to addressing these issues, I would agree, and suggest that fixing the U.N. to be a more effective organization would help.
This is Slashdot, of course, so you are certainly free to ignore my suggestions, but I would hope that the due process of law falls under "doing it right".
Re:Let's blame Microsoft (Score:2, Insightful)
You mean, "local" as in how long does it take a trojan to trick a user into installing a local rootkit?