An unpatched flaw in drivers from ATI creates a security hole to sneak malware past the improved security features in Windows Vista and straight to the Vista Kernel. Microsoft says that they are working with ATI to release an update and security watchers think that might be far from straightforward to roll-out. The existence of this flaw in ATI's driver came about after a developer released a proof-of-concept tool call "Purple Pill" which creates an easy way to load and unload unsigned and potentially malicious drivers on Windows Vista. The utility can be used to circumvent new anti-rootkit defenses that are built into Windows Vista by turning off checks for signed drivers.
The developer that wrote the "Purple Pill" tool pulled the utility hours after its release and realizing that the ATI driver flaw "Purple Pill" uses, which was recently presented by Vista Kernel security expert Joanna Rutkowska at Black Hat last week. The functionality of "Purple Pill" is similar to that of "Atsiv" a tool which was designed by Linchpin Labs in Austrailia and is part of a research project into driver signing. Microsoft recently responded to the development of "Atsiv" by revoking it's license and classifying it as malware, much to Linchpin Labs' surprise. "Atsiv" had evolved into a project that allowed users using legacy hardware to deploy Windows Vista and to install unsigned drivers for the legacy hardware.
News source: thewindowsblog.net
19 Comments - Add comment