ATI Driver Flaw Leaves Vista Kernel Open To Attacks

An unpatched flaw in drivers from ATI creates a security hole to sneak malware past the improved security features in Windows Vista and straight to the Vista Kernel. Microsoft says that they are working with ATI to release an update and security watchers think that might be far from straightforward to roll-out. The existence of this flaw in ATI's driver came about after a developer released a proof-of-concept tool call "Purple Pill" which creates an easy way to load and unload unsigned and potentially malicious drivers on Windows Vista. The utility can be used to circumvent new anti-rootkit defenses that are built into Windows Vista by turning off checks for signed drivers.

The developer that wrote the "Purple Pill" tool pulled the utility hours after its release and realizing that the ATI driver flaw "Purple Pill" uses, which was recently presented by Vista Kernel security expert Joanna Rutkowska at Black Hat last week. The functionality of "Purple Pill" is similar to that of "Atsiv" a tool which was designed by Linchpin Labs in Austrailia and is part of a research project into driver signing. Microsoft recently responded to the development of "Atsiv" by revoking it's license and classifying it as malware, much to Linchpin Labs' surprise. "Atsiv" had evolved into a project that allowed users using legacy hardware to deploy Windows Vista and to install unsigned drivers for the legacy hardware.

News source:

Report a problem with article
Previous Story

Judge Rules: SCO Does Not Own Unix

Next Story

Toolbar Uninstaller Beta


Commenting is disabled on this article.

BrainDedd said,
Catalyst 7.8 (non-beta) is already listed on so it seems ATI is moving quickly to fix this.

Actually the currently released Catalyst 7.7 does not contain the bug anymore. They fixed it by altering the installer for the fault was in the driver installer that allowed access to the kernel through the video driver, not in the actual driver. Or that so I have heard...

GreyWolfSC said,

Not even gonna click... You might as well have just made something up as quote The Inquirer.

Too true

The inquirer shoudl have that quote from Jamie in Mythbusters as their header.

"I reject your reality and substitute it with my own"

HawkMan said,
The inquirer shoudl have that quote from Jamie in Mythbusters as their header.

"I reject your reality and substitute it with my own" :)

I thought Adam said that not Jamie

For the hell of it I read theinq article. And I just have to wonder about this little bit here. "The way it works is if a vulnerability exists in a driver, since the driver has kernel level access, a moronic design decision on MS's part that we will all pay for over the next few years"

Correct me if I'm wrong, but how the hell will a hardware driver work if it doesn't have kernel level access? Unless you want to force all hardware drivers to pass though something else first, but that's been in NT since the start, called the HAL iirc. If anyone knows the inner workings of drivers, do feel free to pop in and shed some light on things.

*John* said,
*Waits for someone to blame Microsoft for this* :rolleyes:

Well the thing is this flaw is the fault of Microsoft. The flaw has nothing to do with the driver itself, just the installer.

and so it begins...

Lets just hope that this doesn't inspire legions of coders into ways of creating more effective malware.

ATi shoudl have already fixed their drivers. The problem isn't in the driver itself, but in the installer. There shoudl be an update out already.