back to article ATI driver flaw exposes Vista kernel

An unpatched flaw in drivers from ATI creates a means to smuggle malware past improved security defences in the latest version of Windows and into the Vista kernel. Microsoft is working with ATI on an update which security watchers warn might be far from straightforward to roll-out. The existence of the security flaw in ATI' …

COMMENTS

This topic is closed for new posts.
  1. Dam

    At least they have some humour

    quote: Microsoft takes the security of its customers very seriously

    A sarcastic person might add:

    sed -e "s/customers/cash_cow_business/g"

  2. Thorin

    Stupid Comments from Vendors

    -----quote------

    "To the best of our knowledge, Purple Pill was a proof of concept demonstration tool that was available for a very limited time and is no longer available," it added.

    -----end quote-----

    What a pull the wool over their eyes type statement. Anyone with half a brain should realize that "no loner available" actually means "no longer available from the original source". Microsoft doesn't have "Phenominal cosmic power" like the genie in Aladdin, they may have had the original download/site taken offline but how many 1000s of copies of the program (and perhaps source) do you figure are in the wild beyond their control/notice?

  3. Vladimir Plouzhnikov

    Trusted computing

    I'd rather risk infection by malware than voluntarily install a system where a perfectly serviceable driver for a perfectly serviceable hardware can be killed by a remote "benefactor" at his discretion, while I'm forced to watch helplessly the progress of a system "update".

    Actually, this makes the entire system malware in my books.

    But the really interesting thing will happen when someone hacks into the MS certification cerver and mass-revoke the certificates of a few hundred device drivers, then pushes out another system update. This can happen, can't it?

  4. Anonymous Coward
    Anonymous Coward

    F*CK TPC

    This is the beginning of the worst thing ever to happen to computers. Imagine if the Internet never came along, and we were all forced to use CompuServe. That is exactly where PCs are headed if this continues. God damnit it’s my computer, and my drivers, if I happen to have a perfectly good driver that MS didn't sign, I should be able to install it; after all, I bought the damned thing!

  5. Sabahattin Gucukoglu

    Oh, the joys of driver signing!

    Driver signing is great, isn't it? I install a complete Windows system from fresh Microsoft-certified expensively-priced and expensively-packaged media, upgrade my OS from heavily-overpowered and damned slow Microsoft update servers, and get a really crappy desktop experience with no sound due to incorrectly installed drivers, occasional BSODs, really bad IDE controller performance and now gaping kernel holes with genuine drivers ... then upgrade to the latest drivers from my various vendors using the clean driver installation interface (InfInstall) which are not signed by Microsoft's team of crack-powered security pros and ... behold! I feel young again!

    Tip: in XP, go to system properties, hardware tab, Driver Signing. Set policy to "Ignore" or "Install silently" (it's available from group policy too and you can also hardwire its initial value during install for PnP drivers searched automagically from OEM install path using unattend setup).

    Cheers,

    Sabahattin

  6. Dillon Pyron

    Accidental?

    Did he accidentally release, not knowing that the flaw hadn't been patched? Or did he get tired of waiting for the patch to be released and finally out them? The world may never know.

    My current customer has "hacking sites" blocked, and I wouldn't want to be seen on astalavista anyways.

  7. Greg Nelson

    How Bad Is It?

    It's been over 10 years since security experts got a look at Windows '95 and ran away screaming and laughing hysterically. I played with Softice and other tools and was amazed at how easy it was to acquire the lowest level of expertise necessary to mess with software whether it be an OS or something else. I've tried to stay current with Windows security because I run Windows multimedia, networked boxes. Certainly the security industry has grown in leaps and bounds and demonstrated the ability to improve security and counter malware but it seems the other side is more than up to finding new exploits and the only way the white hats can stay out front is by finding the worst new exploits before the black hats do. So what's going on? Is this as good as it gets?

    Certainly a current, robust operating system faces issues of complexity that probably introduce insurmountable security issues, but are the worst of new exploits in part recurring problems under a new guise and pointing to architectural flaws or are they just shinny new needles in a new haystack? Are the battle lines drawn and a final showdown at hand? I don't think so. After over 10 years of effort it 's obvious there are systemic issues of both machine and human making that aren't going to allow acceptable security and privacy on the Microsoft platform. Linux with open source may provide the best approach because it doesn't have barriers in place at each and every proprietors' doorstep. What will probably change is that people will accept some kind of strictly controlled access to their computers ( computers that may come free from an internet service provider ) and techs will monitor the machine daily.

    just my loose change

  8. studentrights

    security and privacy on the Microsoft platform

    "After over 10 years of effort it's obvious there are systemic issues of both machine and human making that aren't going to allow acceptable security and privacy on the Microsoft platform."

    Get a Mac.

    Its' certified Unix.

  9. Alan Donaly

    it's all gone then

    Purple pill is all gone then you can't perhaps find it

    in bittorrent or other places on the internet it's not

    being cloned and improved as I write this or anything

    . I would laugh but I am sick of the whole video driver

    scene those vid card manufacturers need a good swift

    kick by everyone.

  10. Adrian Esdaile

    RTFM

    Yet again, security ruined by lazy, incompetent 3rd parties. Yep, you heard me. Stop the MS bashing. MS write the rules for their OS, and as long as we have bottom-line-only bottom-feeders writing the software, ignoring due-freaking-dilligence and then foisting this rubbish on users, we will forever have problems with virii, malware, phishers, etc.

    And for the rabid Mac fans (and just who 'certifies' Unix, I might ask?) - keep your heads down and thank your lucky stars you're using a system that no-one cares about! Keep in mind though, one day your security through obscurity will end...

  11. David

    Mac's wonderful security...

    Firstly.. I have never owned a Mac but I have friends who are Mac fans. I have had the pleasure and the pain of using them many times. Mostly, it is a pleasure. I know Mac's are generally as good as, if not better than Linux machines, and always far far far better than any windoze-infested machine.

    However...

    I have discovered that on OSX, at least on older versions, if you open up port 22, maybe to run a SFTP server or something, then you're asking for trouble. Because while the gui has several passwords for admin and whatnot set, the underlying OS has a unix-like shell available. Which you can ssh into. Which has a root password that is blank by default. So ssh root@machost will get you in with full access by default, if port 22 is open on that host. You are not warned that there is no password on the root account.

    For that matter, a local user on the terminal has the same access. If they can get a terminal window open, they have full access..

    That may have been fixed in a later version of OSX. I certainly hope so. While Macs are way more secure generally, this sort of hole is still pretty stupid.

  12. t3h

    SSH to localhost?

    > So ssh root@machost will get you in with full access by default, if port 22 is open on that host. You are not warned that there is no password on the root account.

    SSH itself won't allow a login to a passwordless account, especially root... on any system.

  13. Anonymous Coward
    Anonymous Coward

    Man, you are l33t.

    root is disabled for logon. You cannot even su into root unless you explicitly enable it first and then you need to provide a password.

    As for opening a terminal window in this state - no you dont have full access, you try accessing another users account.

    I think you made an extremely erroneous assumption here and never tried to actually prove it. If you had you wouldn't have made that statement.

    I would love to know what version you think this hole is in.

    No - im not a fanboi, if anyone had told me a major *nix release had a supposedly blank passworded, enabled root account out the box i would have laughed at their l33t sk1llz0rz

  14. Anonymous Coward
    Anonymous Coward

    Mac security

    I have to agree with Adrian Esdaile - just because fewer security issues have been found with the Mac platform at the moment doesn't mean they're not there - it just means not enough people are looking for them...

  15. Anonymous Coward
    Anonymous Coward

    no one is looking for nix exploits

    Thatts pretty funny I wonder what you think all those

    servers are running we like to hack so much short

    sighted comments at best.When IIS gets to be the

    only server then we can talk about no one looking.

  16. Steven Hewittt

    Drivers

    I remember the good old days when drivers used to fit on a floppy and consisted of a .ini, .sys and maybe a .dll. There's no need for a 40Mb 'Driverware' or 'Megaforce' package.

    Shit coding by 3rd parties can bring most OS's to it's knees. Wake up ATi, NVidia and all the others - sort it out.

  17. Gerry

    @Mac security (and all the other ones)

    Talk is cheap, including this.

    However, if Mac or Linux is waiting to be taken down, when some black hat or other gets around to it, why haven't we seen any "lab" sponsored proof-of-concept?

    We see lots of statistics about how Linux (yeah, the one I use) has more vulnerabilities and they take decades longer to fix than that other operating system - but has anyone seen (rather than heard about) a machine compromised by anyone other than the owner of the root password? Even early Linspire?

  18. Anonymous Coward
    Anonymous Coward

    I must be missing something here...

    A driver flaw allows access to the kernel in a way that it shouldn't, and this is somehow not the fault of Microsoft? The obvious implication is that Microsoft (in an fit of irony of epic proportions) actually assumes driver developers are capable of adhering to standards!

  19. Steve-SCB

    Vista drivers are complicated by DRM

    From what I've read, it appears that Vista drivers have to be quite complex, accommodating all sorts of extra stuff to meet the MS DRM requirements, so I don't see how all the blame could be placed at the video card vendors doors.

  20. Rob

    LOL

    "There's no need for a 40Mb 'Driverware' or 'Megaforce' package."

    Indeed! Nothing says WTF like an 84Mb Logitech webcam driver download. Oo

  21. James

    Quality of all drivers going down hill and MS are not helping

    "From what I've read, it appears that Vista drivers have to be quite complex, accommodating all sorts of extra stuff to meet the MS DRM requirements, so I don't see how all the blame could be placed at the video card vendors doors."

    MS should be working on making it easier to write good drivers and not harder.

  22. Timothy Slade

    driver sizes and stuff

    Got an HP scanner. Installed it under XP, it copied the entire contents of the cd that came with it, and I had all sorts of image gallery manager craplications installed, with no option not to.

    Under ubuntu linux, I apt-get'ed one file.

    and @ David re: Mac security, I have played with OSX 10.1 - 10.4 and not seen this problem (root acces from a terminal) in any of them, as others have said you either have to activate the root account through the preferences or 'sudo passwd' at the terminal. A password being not set is not the same thing as it existing, and being blank.

    It's fallen somewhat recently, but at one point something like 70% (IIRC) of web servers were running linux. So, yeah, thats a really obscure, out of the way OS, not of interest to hackers or security researchers.

    I'm curious when hardware manufacturers are going to spit the dummy with all the hoops thy're being asked to jump through for DRM this and trusted computing that, and just say 'fuck it, our hardware is not windows compatible'.

  23. harreh

    Wow microsoft is getting a better repour

    My First PC was a Windows 3.1 2mb ram 52 mb hdd job, back then i knew nothing about security or even have the internet but it did ship with Q basic! after this PC it went down hill.. tinternet and windows 95 armed with AOL 2.somthing this is where your Windows machine was open to everyone who wanted to be leet and the same for 98 when it came out, same stuff different day but more people trying to be leet.. this is when microsoft started trying to put security features into their desktop OS's with XP sure they started off badly (any one remember Net Send adverts?) but by SP2 they'd started to make it secureish and low and behold some people are starting not to blam Microsoft for the sake of blamming. now Vista is here shipped with more security gadgets than everyones favorite inspector! once these early day problems with any new OS that comes out are delt with will there be a generally secure OS that is not prone to script kiddies united? IMO yes there will be less automated hacking scripts yes there will be fewer malware etc apps but what will be the cost of this? heavy weight applications that need big pimping specs to run them.. an example how big was XP install and how big is an XPsp2 install? and compare the idle process numbers, ram usage %? that's going to be the cost of water tight security measures

    PS excuse my lack of paragraphs grammer and spelling etc im ill today

  24. yeah, right.

    Fanboys amuse me.

    Especially Microsoft fanboys, ready to take it up the arse for their lord and master.

    Microsoft "security" is a joke, from start to Vista. Their latest version of "security" simply allows them to say "it's not our fault", when in fact they are selling their signing service as a guarantee that they have, in fact, inspected and approved anything they have signed. Yes, ATI screwed up. But Microsoft is screwing up even more by having an "operating system" that allows drivers access to areas they should not have access to. So yes, it's Microsofts fault for writing a crappy operating system. Again. Their whole "operating system" is a sad, sad joke perpetrated on a world of people who have been brainwashed into accepting truly crappy software on a daily basis.

    As for Macs - they're a little better, and it's what I currently run for various reasons, but they aren't that much better. I'm still waiting for proper security on a computer. You know, something like Multics had by 1969 or 1971 or thereabouts. Surely it can't take that long to reinvent the basics?

    All hardware sucks. All software sucks. The rest is personal preference. But come ON folks, there are still some things that suck the most of all choices, and we're getting a front row seat here on why it sucks.

  25. Anonymous Coward
    Anonymous Coward

    LMAO

    Another security breech/exploit brought to you by Microshaft...

    "Where do you want to go today?"

    Indeed.

    Hillarious....its so obvious youd be out of your mind to use Vista and yet the people who implicate MS have to attack Macs for no reason other than stupid pride.

    This excuse of "not popular enough" is utter BS.

    Try too dang hard to hack more like.

    Every documented attack has taken over 24 hours just to get in..and yet no one can attest to root access.

    Don't bother complaining or ranting about security on macs until you find me something thats utterly documented.

    All i see is talk...and talk is cheap.

    Funny thing... I have to agree with some of the comments...all this talk about linux/unix systems being severely flawed..yet no one is talking about it short of boasting.

    Sounds like they are compensating for something...or more like the LACK of something.

  26. Jason

    Why?

    I don't get why people bash MS so much, windows work, it does what it needs to do and was designed to do. If people start attacking it, there's not much MS can do about it but wait until the hole is found, then fix it.

    You don't go round round saying the police are crap because they don't catch criminals before they commit a crime, they have to catch them after the crime.

  27. Peter Gathercole Silver badge

    Unfound security holes in Unix-like OSs

    What many people forget is that most Unix or Linux reported potential vulnerabillites are just that. Potential.

    The advantage that these systems have is that the code is open to inspection. Many (but obviously not all) of the reported holes are as a result of buffer-overruns, which have been identified by syntactic analysis of the source code. What is found is that buffers overlap, or have unbounded copy operations performed on them. This means that something will be affected, but it is unlikely that many of them will have real security exploits, although DoS exploits may be possible.

    Contrast this to secret code. Only the code-owners and their trusted partners (who will have signed non-disclosure agreements) have this level of access. Most published exploits are real, with proof-of-exploit code available.

    Which of these flaws is more dangerous. And how many more 'potential' or real exploits remain in secret code supplied to millions of trusting users. It really makes a mockery of comparing the numbers of reported flaws in closed and open software, as certain well known OS suppliers do.

    Open Source really is more secure, because ANYBODY can look at it to identify faults. And if they are any good, as well as finding holes, they can even fix them.

  28. Mike Tester

    This would be funny if it wasn't so serious

    Ballmer famously claimed that "Vista is the most secure operating system ever." When I finished laughing, I took a look at the Microsoft vision of "security".

    "Vista" is actually just a skinned version of XP with a bit of (very nasty) DRM thrown into the mix. The "security" model really just consists of nagging the hell out of the user with a series of irritating "nag" dialogues. The second time this happens, Joe user will switch off the "security" features. There are actually NO improvements to fundamental security as promised.

    In fact, "Vista" is more open to abuse than XP.

    On some hardware platforms, "Vista" is hideously unstable - it was rushed to market without even the most rudimentary set of drivers - so OEMs are ditching it and returning to XP (or Ubuntu!).

    As ever, MS have entirely failed to deliver a working product. This adds to their long string of failures. In fact, if you think about it, MS have NEVER released ANYTHING that works properly!

    Game Over, Microsoft!

  29. Mother Hubbard

    @RTFM

    So, Microsoft "certifies" binary code that will run with elevated privileges on 90% of desktop computer systems, and that means users shouldn't trust it, right? Speaking of "due-freaking-dilligence" - it is absolutely Microsoft's fault that code with their explicit trust applied, that wasn't audited, was vulnerable.

  30. Anonymous Coward
    Anonymous Coward

    The ati driver allowed a backdoor...

    so they certified a root module and loaded uncertified dll-s into the driver. This allowed a faster development cycle, because they didn't have to ask microsoft's certification for every patch they made. On the other side, doing the same process correctly slowed down nvidia's developement. What ati did was to intentionally disable security with a backdoor.

    This feature is not new, we had a driver like this for win2k and winxp. Used by hobbysts to open hardware port access to user mode programs, so a program that used the hardware without drivers could be ported from dos to windows console mode without writing a kernel driver. The driver just disabled io and/or memory protection by patching the control structures of the nt kernel.

    The problem with driver security is an architectural one. If they used a proper hypervisor then code could not be loaded and executed without the hypervisor checking it first. The problem with this is that very few pc-s could run hardware virtualization and have a working tpm chip with intel's efi installed. Actually the only such hardware are intel macs and even they don't really use this feature. (only used for copyright checks during boot and for itunes drm) This is why microsoft decided to opt for cooperative security instead, requiring nice behaviour from every kernel module. For a true tpm system, only the hypervisor have to be trusted and wired into the hardware. (another problem on a pc is to get the windows hypervisor burned into the cpu during manufacturing, so far only xbox360-s have this feature)

  31. Chris

    Proof that binary BLOBs are evil!

    It doesn't matter what OS you're running if you pack it full of 3rd party binary-only drivers/apps it will only be a question of time before the OS is compromised by some crap code. Yes, I am including Linux and OS X in this list.

    As a Linux (and Mac) user I'm getting increasingly concerned of this 'more secure' OS's reliance on more and more proprietary drivers (yes, nVidia, AMD, Intel et al I'm talking about you). The whole point and benefit of FLOSS is being thrown out the window (pun unintended) by this behaviour.

    If you really want to be truly secure do not trust anything that comes from 3rd parties and stick with the tried, tested and trusted Open Source code.

  32. Ross

    Marketing forces

    It doesn't matter how hard you try, mistakes will always be made when coding. To mitigate this you need to do lots of testing, but testing slows time to market.

    In a lovely make believe world ATI would have thrown their drivers at someone like @STAKE along with a NDA and said "break it". The trouble is that takes time, and if they do break it, it takes even more time to fix it and test it all over again. That's time you're not selling your new gfx cards because you don't have a working driver for them which = a drop in your stock value.

    As you can see security doesn't make financial sense, at least in the old model of release and patch. Why wait on an insecure product? When was the last time you saw a major news story on a security flaw outside of the tech news community? You make more money releasing early and fixing it later.

    As for MS signing off flawed drivers - how is that a surprise? ATI are a big company, they do their own internal testing, of course their drivers are safe! Well they're not malware at any rate which is all the driver signing is meant to stop, not sloppy coding. All MS were interested in was receiving their fee from ATI for signing the drivers. Which I guess just shows that driver signing isn't about security at all, but protectionism for the big boys.

    *sigh*

  33. This post has been deleted by its author

  34. Ole Juul

    This whole discussion really shouldn't be happening

    Mike Tester said: "MS have NEVER released ANYTHING that works properly!"

    How can you say that? I still use MSDos6.22 on a daily basis and it works very well. Of course I only use the "kernel", having replaced everything else with non MS ustilities, but still, it's rock solid and lightning fast. One of the best things about it is that any virus infection is quickly noticable and easily found. In fact, I haven't had an infection since before 6.2 came out and my kid used to bring viruses home from elementary school. In those days they were mostly harmless boot sector viruses which we got used to fixing. My point is that it was simple enough to be under my control and not so complicated that the programmers didn't know what they were doing. MicroSoft used to write very good software. Of course, Mike is right, but I would say that it wasn't until MS went to a windowing system that things started going wrong. They got in over their heads and the software became unprofessional.

    I don't even know what a modern virus looks like. When DOS became too difficult to use for the net, Linux was ready for simpletons like me and I started using that for interfacing with the "cruel world". I've never had any malware, that despite the huge number of vulnerabilities in Linux. Perhaps I'm just too stupid to get a virus, I don't know, but I've had a machine connected to the net 24/7 for a number of years now. I don't especially like Linux but I don't want to go backwards and be charged for it. I'm just not going to pay good money for an OS unless it can compete with DOS on a basic level so I use what I can get for free. I can't imagine paying for an OS and then having to deal with malware.

    People who bought into the MS windows line of OSes seem to have experienced increasing problems. It really looks like MS, and operating systems in general, have developed to the point where no one knows how to operate them properly ... even the manufactures. It's very unprofessional to be trying to sell an OS which has problems that are beyond the programmers control. They're obviously atempting more than they are capabable of doing. Maby it's time to scale back to a level that matches their (and their customers) abilities.

  35. Danny

    Do you actually deal with end users?

    'Open Source really is more secure, because ANYBODY can look at it to identify faults'

    Unfortunately, so can hackers looking for exploits. With the code available to them it makes finding problems so much easier. You can bash MS as much as you want but at least they have an idea about the average user by trying to make things like security updates as easy as possible.

    If Linux or some other OS where to suddenly make it big (70%+ of desktops) how many problems do you think this would cause globally?

    Think about it, a large proportion of the computer using population want everything to happen automatically. They can't even find a document they created if they save it to the wrong folder or make sure their AV is up to date, believe me, I get loads of work dealing with little non-issues like this. If a vulnerability is found in Linux how many of them do you think will check every now and again to see if they are still secure? How many will have the ability to replace the kernel with the newer patched version? Very very few. most would never even think about it leaving the internet open to flooding by botnets taking advantage of a vulnerabilty across millions of PC's. You think it is bad now, it could be so much worse.

    And before anybody says it, no I am not a MS fanboy, I just deal with end users every day and see first hand just how many people haven't a clue and they also have no interest in learning about the systems they are using. They just want to switch the computer on and it works, without them ever having to do anything or learn anything about it.

  36. A J Stiles

    This must never happen again

    This must never, ever be allowed to happen again.

    I propose that we need a new law, mandating that all hardware driver software be supplied in Source Code form.

    And it *will* take a law -- otherwise manufacturers are just going to bleat about "giving our competitors an unfair advantage". (Then they'll just get straight back in the back room and carry on reverse-engineering their competitors' products.) At least if everybody is *forced* to release their code (and maybe a general IP amnesty is declared at the same time, just in case they have tried to hide evidence of copyright or patent violations behind Closed Source) then nobody gets an unfair advantage.

    @Danny: The whole point is, there are *more* "good guys" looking for flaws to fix than there are "bad guys" looking for flaws to exploit. Hence for any given bug, the greater probability is that it will be found by a "good guy" (and therefore fixed).

This topic is closed for new posts.