ATI cracks/hacks/compromised Vista Kernel-

Snuffy · 08-10-2007, 01:07 PM

ATI driver package opens Vista to flaw
by Justin Mann on August 10, 2007, 11:51 AM |
For all the praise Microsoft gave to the Vista kernel, touting it as robust and secure, it has taken quite a beating in the field. Just recently, Microsoft was forced to block a particular program that could result in “kernel compromise”, and even more recently something almost everyone takes for granted has done the same.

An ATI driver for video cards could potentially be used to compromise the kernel in Windows Vista. Apparently, one of the hackers who discovered the flaw had assumed it was already patched and released a tool that demonstrated such. He pulled the tool once he learned the flaw was “in the wild”:
In an interview, Ionescu confirmed his tool was exploiting a vulnerability in an ATI driver — atidsmxx.sys, version 3.0.502.0 — to patch the kernel to turn off certain checks for signed drivers. This meant that a malicious rootkit author could essentially piggyback on ATI’s legitimately signed driver to tamper with the Vista kernel.

Microsoft and AMD/ATI are already working together to fix the issue. Ultimately it was a way to load unsigned drivers into the Vista kernel, which Microsoft is relying on to help prevent a machine from getting compromised by either an enterprising hacker or a legit user wanting to bypass Vista's DRM.

While the security implications here aren't anything unusual, it does beg a question. If it is as easy as loading a signed but faulty driver into Vista to result in compromise, can they really claim they have increased security at all over XP?

**CrowdAds** · [Remove Advertisement]

08-10-2007, 01:07 PM	#1
Snuffy Elite Members Join Date: Nov 2006 Location: S.W. Kansas Posts: 2,841	ATI cracks/hacks/compromised Vista Kernel- ATI driver package opens Vista to flaw by Justin Mann on August 10, 2007, 11:51 AM \| For all the praise Microsoft gave to the Vista kernel, touting it as robust and secure, it has taken quite a beating in the field. Just recently, Microsoft was forced to block a particular program that could result in “kernel compromise”, and even more recently something almost everyone takes for granted has done the same. An ATI driver for video cards could potentially be used to compromise the kernel in Windows Vista. Apparently, one of the hackers who discovered the flaw had assumed it was already patched and released a tool that demonstrated such. He pulled the tool once he learned the flaw was “in the wild”: In an interview, Ionescu confirmed his tool was exploiting a vulnerability in an ATI driver — atidsmxx.sys, version 3.0.502.0 — to patch the kernel to turn off certain checks for signed drivers. This meant that a malicious rootkit author could essentially piggyback on ATI’s legitimately signed driver to tamper with the Vista kernel. Microsoft and AMD/ATI are already working together to fix the issue. Ultimately it was a way to load unsigned drivers into the Vista kernel, which Microsoft is relying on to help prevent a machine from getting compromised by either an enterprising hacker or a legit user wanting to bypass Vista's DRM. While the security implications here aren't anything unusual, it does beg a question. If it is as easy as loading a signed but faulty driver into Vista to result in compromise, can they really claim they have increased security at all over XP? __________________ [COLOR="DarkRed"]The only Stupid Question is the one you failed to Ask![/color] [COLOR="Blue"]Beta Tester since Pre Win 95.[/COLOR]
(Offline)

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode