ATI Driver Flaw Exposes Vista Kernel to Attackers

Shack0ption writes "An unpatched flaw in an ATI driver was at the center of the mysterious Purple Pill proof-of-concept tool that exposed a way to maliciously tamper with the Windows Vista kernel. The utility, released by Alex Ionescu and yanked an hour later after the kernel developer realized that the ATI driver flaw was not yet patched, provided an easy way to load unsigned drivers onto Vista — effectively defeating the new anti-rootkit/anti-DRM mechanism built into Microsoft's newest operating system. Ionescu confirmed his tool was exploiting a vulnerability in an ATI driver — atidsmxx.sys, version 3.0.502.0 — to patch the kernel to turn off certain checks for signed drivers. This meant that a malicious rootkit author could essentially piggyback on ATI's legitimately signed driver to tamper with the Vista kernel."

trusted computing

[Anonymous Coward]

ok...
so windows vista trusts ATI.
ATI trusts themselves.
I don't trust no one, especially closed-source drivers from ATI.

shouldn't they simply replace their "fglrx" with "ati", in their xorg.conf?

Ah, you kids have it easy...

[Glowing Fish]

The fact that people are actually going to the lengths of breaking into Windows by using a legitimate driver with kernel access to load in rootkits...the fact that it even requires explaining, means that Windows has reached some type of real security. I mean, with Windows 98, you would just hit enter on the login dialog box, and there you were!

Re:Let's blame Microsoft

[Magada]

It starts here, with me. Microsoft is making driver devs jump through hoops with the whole signed-drivers thing when all it takes (as has been shown in this case) is ONE signed driver with ONE exploitable flaw to break the whole scheme.

What are Microsoft going to do now? Revoke the key they used to sign drivers with? How many copies of Vista wich verify drivers with the now-revoked pubkey have already been sold? How many devices were sold in retail with drivers which will no longer JustWork(tm)? Will Microsoft and the OEMs have the resources to re-certify each of those, or will they sign blindly?

Each of those probably stands a 50-50 chance of being either rooted or patched with the new key the first time it's connected to the 'net. How's that for convenience?

Oh, did I mention that finding another bug in another driver signed with the new key will mean the whole process must be repeated?

Oh and did I mention that if someone finds such a bug and sits on it, they have root to any Vista system in existence, until the bug is found and fixed (which may be never)?

ATI will patch this

[Dekortage]

Seems like the real concern is not that ATI's code opens a security hole. You know ATI will patch it. A more important question is, how many other securely-signed drivers, etc., have similar holes? How many drivers are there in a typical Windows Vista system, anyway?

At least Microsoft can say (with some truth) that it's not THEIR software which introduces the problem! (it actually is, of course, but not directly)

Re:Bug or feature?

[mugenjou]

I guess it's a feature to the bad guys. To everyone else, it's a bug.

I guess it's a bug to Microsoft and the content industries. To everyone else, it's a feature.

Re:Open Source drivers

[Anonymous Coward]

Yes.

Re:Kernel Type

[Magada]

It's an interesting dilemma for Microsoft - they can't have DRM without video drivers running in kernelspace (performance issues), but DRM is broken if they allow drivers in kernelspace. Consider this: anyone can now load the vulnerable driver, apply Ionescu's magic and WHAM! I predict pirate-patched video card drivers for windows are coming soon - the oportunity to strip the DRM out of high-def movies from the comfort of your own PC is just too nice to pass up. And doing it with a legitimate copy of Vista? Priceless.

Re:So I read it right?

[CarpetShark]

and I thought Linux stood for free sofware...

Linux does NOT stand for free software. It happens to have a (now old and relatively flawed) free software license. The main direction for Linux comes from a guy who likes Tivoisation (ie, DRM), and is of the opinion that politics like Freedom issues don't matter; he just wants to create tools.

If you want a Free Software kernel, that guarantees you'll still be able to use it at version 11.6, you'll need to look further afield.

You could argue that kernels don't matter much anyway, as long as they're posix, and that's true, to an extent, but most desktops are now embracing HAL, etc., which are linux-specific.

Re:Bug or feature?

[Opportunist]

If you consider someone a bad guy who wants his legally purchased machine to do what he wants, then yes.

Re:Let's blame Microsoft

[morgan_greywolf]

(BTW--I've been using Linux as my primary OS since 1996, so no I'm not Linux bashing)

Well, one thing to consider is this -- how different are other OSes like Linux? With Linux, a root exploit in a kernel module gains you access to the whole system as well, especially when you consider that it uses a monolithic kernel. IOW, kernel modules directly patch the Linux kernel, live, in memory. Now consider that the ATI drivers for Linux are based at least in part on the ATI drivers for Windows.

Mind you that some things like SELinux might help to mitigate some of this in some scenarios, but not in all.

It will not work. Ever.

[Opportunist]

Actually I'm amazed it took almost a year. I would've betted my annual income that something like this would surface before May.

Let's take a look at the inner workings of the system. Yes, MS has full access to the source code, so their drivers will probably not leak. They also have no "real" competition on the OS market (yes, there's Linux, there's MacOS, but what company would switch?). They can take their time to proof and perfect their drivers until you can be certain that they don't leak.

Do third party vendors have the source? No. Do they have tight schedules and competition breathing down their neck? You bet. Will they prefer performance or security? Well, what of those two is tested on pages like THG?

Worse yet, what if such a driver actually allows a user to "crack open" his system and use it as he pleases? Could you see people buy a cheap ATI card just for the purpose of disabling the DRM? I mean, there have been really, really crappy games for some consoles that sold surprisingly well, because they contained a bug that allowed disabling certain security measures. Save-game exploits were quite popular for a while.

Could you see that this "security" bug could actually be a selling argument FOR the hardware rather than against it?

Re:Let's blame Microsoft

[Tim C]

Each of those probably stands a 50-50 chance of being either rooted or patched with the new key the first time it's connected to the 'net.

It's a local exploit.

did I mention that finding another bug in another driver signed with the new key will mean the whole process must be repeated?

Third parties write crap, exploitable code and it's MS's fault? You can write exploitable kernel modules for Linux as well, yet somehow I don't think you'd be blaming that on Linus. If anything, this is an argument for open source drivers, not against MS's scheme - although how many people actually have the skill to audit the code they run, let alone auditing it?

did I mention that if someone finds such a bug and sits on it, they have root to any Vista system in existence

Every Vista install that uses the exploitable driver, you mean. Just as an exploitable driver for Linux would open every Linux install that uses that driver. For example, I have an NVidia card; as and when I upgrade to Vista, I won't be vulnerable to this particular exploit.

Try to tone the hyperbole down a little, it's not very becoming.

Re:Let's blame Microsoft

[tttonyyy]

But you'll also find that the Linux kid will also drop a "load in his shorts" if he's using a kernel module with a flaw that can be exploited.

It is impossible to prove that any piece of software is 100% bug free. Impossible. Regardless of your operating system, if you trust kernel-level drivers (you actually want to *do* something useful with your system?), chances are that somewhere there is an exploitable flaw. It's just that no-one may have found it yet. There is no such thing as a 100% secure system.

Re:Let's blame Microsoft

[mhall119]

Malicious to whom? This systems seems designed more to prevent the installation of kernel-mode drivers that would allow the circumvention of things like DRM. I guess it could stop the installation of rootkits too, but there are other ways to stop them. It's funny (to me at least) that there are things that Windows can stop even an Administrator from doing on their own machine.

Re:Really cleaning up the Internet

[Knight2K]

1. It is important to use the correct names for things. The word "terrorist" is subset of "criminal". My working definition of 'terrorist', which can doubtless be improved on, is: one who uses violence to create terror or panic within a populace in order to achieve political ends. Without the political component, a terrorist is simply a criminal guilty of assault, murder, theft, etc. and should be caught and prosecuted accordingly. By using this term incorrectly, you are just as guilty of spreading FUD as the U.S. government. While this may be an effective way to get attention, it is alarmist, unethical, and immoral.

By expanding the meaning of the term, the government has been able to greatly expand its power at the expense of its citizens. It certainly is important to catch and prosecute cyber-criminals, but discuss it rationally and pass appropriate, targeted laws to deal with the problem. More importantly, enforce the ones that already exist.

2. In most cases, a non-anonymous network would probably be fine, as long as encryption was used to keep data private. Unfortunately, we live in a world where, in some places, using encryption will get you tossed in jail, regardless of the content. In other words, it can be important to hide not only what you sent, but the fact that you sent it. A concrete example would be blogging in China. Given recent events with the NSA, I wouldn't be surprised if the U.S. government starts to take a more active role in discouraging personal strong encryption. How do we solve that problem?

3. Guantanamo is one of the worst violations of human rights in recent history. Even the basest criminals are entitled to due process. That's what makes our system justice and not revenge. The United States is NOT the world police. There is a process to be followed to enforce change in other countries. The lack of serious international backing is part of our problem in Iraq. The U.S., despite being the last world superpower, does not have the resources to fight every battle and prosecute every crime that other countries won't deal with.

You are right that we need effective computer crime laws and effective enforcement of them. The way to do it is to lobby other countries for this and establish treaties with them. Use diplomacy and sanctions where necessary. It isn't impossible; if we can get intellectual property laws perverted across the globe, surely we can expend the effort needed to reach cyber-criminals where ever they choose to hide.

4. The government is supposed to work for us, but it needs watching. One of the most important lessons of modern history is that we have to be active and mistrustful of government, in order for it to function correctly. The Bay of Pigs was the first warning and the Watergate scandal made this manifest. The Iraq war, NSA wiretapping, and the PATRIOT Act are examples of what happens when we fail to perform our role of government watchdog. I'm not going to trust the government on who the bad guys are. I want the FBI, the CIA, Interpol, etc. to gather evidence and arrest criminals and bring them before the appropriate judicial authority and prove their case before the public.

You are correct that this is a serious international problem and needs serious international intervention, but it also has to be done right.

Re:Let's blame Microsoft

[Cythrawl]

Umm Microsoft DIDNT sign the code, ATI DID. The drivers ARENT WHQL verified... Who's the asshole now?

Re:That's why microkernels are useful

[sgt scrub]

The largest hurdle microkernels have to overcome, however, is the problem of DMA
Absolutely correct and imho correct for all types of kernels. As long as hardware uses system memory to function, and the location of memory is not properly restricted, this problem will persist. Drivers openly developed could easily be developed to restrict specific device types to specific memory areas.

Re:What a bunch of malarky

[Knight2K]

I was trying to avoid Godwin's law, since there are many other examples that can be appealed to besides Nazi Germany. The genocide in the former Yugoslavia and Darfur works as well. Saying Gitmo is "one of the worst" is not the same as "is the worst". I am certainly aware of the Holocaust, know a great deal about it and certainly acknowledge that it happened and was terrible. I have no problem with the Holocaust being the worst, but Gitmo is clearly wrong and abusive.
In a way, is there any point in ranking these things? They are each violations of human rights; some are certainly more horrific than others, but a violation is a violation just the same.

I debated adding illegality as a criteria for terrorism, but assumed it was implied. I wouldn't mind amending my definition. I agree with you that lawful force can be necessary, but the keyword is 'lawful'. International laws are laws as well and need to be respected until they can be changed to address the situation. We have standards for when invading other countries is allowed; we can't just choose to enforce our laws on other people's sovereign territory without getting a legal mandate to do so. If you argued that the U.N. is not up to addressing these issues, I would agree, and suggest that fixing the U.N. to be a more effective organization would help.

This is Slashdot, of course, so you are certainly free to ignore my suggestions, but I would hope that the due process of law falls under "doing it right".

Re:Let's blame Microsoft

[A non-mouse Coward]

It's a local exploit.

You mean, "local" as in how long does it take a trojan to trick a user into installing a local rootkit?