AMD graphics driver hole opens Vista to rootkits

A proof-of-concept tool put together by a ReactOS kernel developer Alex Ionescu has unmasked a serious vulnerability in AMD’s graphics drivers for Windows Vista. As ZDNet reports, the security hole allows the Vista kernel to be patched to turn off “certain checks for signed drivers.” Through this vulnerability, a malicious programmer could develop software capable of bypassing the mandatory driver signing mechanism in Windows Vista x64 in order to load a rootkit—a tool designed to conceal the operation of other malicious software—onto the operating system.

Ionescu says he released his “Purple Pill” proof of concept without knowing that the flaw in AMD’s graphics drivers had not yet been patched. Roughly an hour and 20 minutes after realizing his mistake, Ionescu pulled the proof of concept. However, the file had already been downloaded 39 times. When asked about the security hole, a Microsoft spokesman told ZDNet, “Microsoft is in contact with ATI to help address this issue and once fixed we will assist in getting it to our customers.”

Comments closed
    • bhtooefr
    • 12 years ago

    With a successful Vista rootkit hole, Microsoft having to change the graphics model to something closer to the old XP model, and some other stuff, Vista doesn’t even have properly working DRM any more.

    The pirates win, the legitimate user loses. Where have we heard this before?

    Of course, Microsoft’s going to revoke keys for this driver, but still…

    • indeego
    • 12 years ago

    When you go to ati.com, you are met with:

    – url redirect to ati.AMD.com.
    – AMD Logo top left and AMD chip on lower right.
    – Color scheme is from AMD, not ATI.
    – Everything is about “amd plus ATI,” or “The new AMD” (when really isn’t it the new ati? Not really giving you an idea what company you are dealing with specifically.

    This leaves (me, at least,) with a confusing branding. I have no idea who I am dealing with here. This is backed up by repeated, heated discussions on TR about this. People don’t know who the h*** either company is anymore.

    Now, let’s look at a comparison takeover company: Cisco and Linksys:
    – §[< http://www.linksys.com<]§ website: Linksys logo, technologies, products, information are all branded the same. People that use linksys know exactly how to find what they are looking for. People that don't care about mergers/cisco aren't confused. -Small touch of cisco. -everything is as you expect it. I would dare say the ATI brand is more well known that AMD. AMD should have just left it alone, ala cisco. I hear that now cisco is chaging linksys back to cisco, and I feel that is a grave error. Consumers know linksys more than they know cisco, stillg{<.<}g

    • Sniper
    • 12 years ago
    • scribly
    • 12 years ago

    Another step in the right direction.
    Perhaps there is a chance that someday hobbyist driver writers may be able to share their drivers with friends again just like in Windows xp (I have a few drivers I’d LOVE to load without pressing f8 each time i boot up. A shame i’m not allowed to digitally sign them by microsoft)

    but till that time, i’ll stick with xp

    • albundy
    • 12 years ago

    wouldn’t you still see the service running? how would you conceal it?

      • TO11MTM
      • 12 years ago

      That’s the beauty of Rootkits. Since they have priveliged access to the system they can do all sorts of nasty things on the fly.

      I once had one in the form of a nasty piece of spyware that not only wouldn’t show up as a service or running process, but even modified google search results. O_o

        • albundy
        • 12 years ago

        how did you even begin to troubleshoot? I guess it would be hit or miss.

    • provoko
    • 12 years ago

    Fantastic…….

    • Shark
    • 12 years ago

    I hope to see a new, patched, driver release soon.

    • Ruiner
    • 12 years ago

    wheee. another step in disabling vista’s built in DRM protections.

    • BenWang
    • 12 years ago

    #2 I can’t remember a time in recent history before the merger when Catalyst drivers were quite this bad, so I’m gonna continue calling them AMD drivers.

    Does this potential exploit work on 32-bit Vista or any version of the XP/2K famly btw?

    • My Johnson
    • 12 years ago

    People use Vista?

    • herothezero
    • 12 years ago

    Talk about irresponsibility masquerading as savvy.

    • SnowboardingTobi
    • 12 years ago

    I don’t understand how he could not know the flaw wasn’t patched yet. He must have a computer with an ATI card in it to test out his POC. He could have simply d/l the lastest drivers to see if the flaw still exists. Pretty simple.

    So smart and yet so dumb. Or just a bad liar.

      • Flying Fox
      • 12 years ago

      Or just an attention grabber.

      • jdevers
      • 12 years ago

      Maybe he told them about it months ago and just assumed they would have fixed it in one of their monthly updates that seem to do little more than make 3DMark a bit faster.

    • Sniper
    • 12 years ago

    If we’re still using “ATI” why can’t we just call them ATI graphics drivers.

    Everyone knows AMD’s engineers have nothing to do with the graphics drivers – It’s ATI’s engineers.

    Blahhhhh.

    • SuperSpy
    • 12 years ago

    Whoa.

    I would imagine the MPAA and it’s lawyer squad is being dispatched to Alex’s home as we speak. </tinfoil hat>

Pin It on Pinterest

Share This