Symantec Educates Microsoft on x64 Windows Vista Update

**Anilrgowda** · 09-Sep-2007, 10:23 PM

Microsoft seems to be in need of some education related to its Windows Update practices and Symantec seems more than happy to oblige it. The issue is related to the 64-bit editions of Windows Vista and the mandatory driver signing mitigation introduced by Microsoft in order to safeguard the operating system's core from unsigned code. All kernel modules on systems running the x64 editions of Windows Vista must feature digital signatures. In the absence of a digital signature, kernel-level software and especially drivers for the x64 operating system will not be able to load. Essentially, driver signing is a mitigation designed to verify the validity of a certain code author and not a security measure, as Microsoft underlined. But while the Redmond company has locked all unsigned code out of the Vista kernel, driver signing is by no means foolproof. And in this context, the feature has generated some interesting circumvention techniques, but also catalyzed the production of software designed to workaround the protection and load unsigned code into the kernel of 64-bit Vista. Case in point, the Purple Pill authored by Alex Ionescu, kernel developer and reverse engineer, following the Atsiv tool, created by Linchpin Labs & OSR. Both programs offer a way to bypass driver signing on 64-bit Windows Vista. But while Atsiv used legitimate certificates that were subsequently revoked, while the tool was blacklisted by Microsoft as potentially unwanted software, the story with Purple Pill is a little different.

Purple Pill in fact involved the use of a vulnerability residing in the ATI Vista x64 Video Driver in order to load unsigned code into the core of the operating system. The tool was taken down by Ionescu as the vulnerability was yet to be patched by AMD ATI. Currently a patch is available via Windows Update for the affected drivers, but is labeled as an optional update by Microsoft.

"It is kind interesting that Microsoft is making the update only ‘optional’. One would think that it would be in Microsoft’s best interests to expedite the deployment and thus ability to remove the vulnerable driver or revoke its signing certificate. I suspect they are being massively cautious as a ‘critical’ update would force everyone to download and reboot (if their machines are configured so). If there were any potential stability issues with the new driver, hosing millions of desktops in one go isn’t probably going to win you any friends," commented Ollie Whitehouse, Architect, Symantec Advanced Threat Research.

The new versions of the ATI video drivers have been made available since last month, and you also can download the 32-bit and the 64-bit versions. The new releases take care of the vulnerability exploited by the Purple Pill.

Still, for the Whitehouse there are a couple of "things still not clear: a) How is Microsoft going to stop the old ATI driver being loaded and exploited by users that do manage to obtain Administrative privileges? b) When is it safe to revoke the signing certificate (I believe it will have used timestamp signing and thus be possible to revoke it only for signed file before a certain date) or add its signature to security software such as antivirus."

09-Sep-2007, 10:23 PM	#1 (permalink)
Anilrgowda Administrator Posts: 18,715 Join Date: Jan 2006 Rep Power: 10 IM:	Symantec Educates Microsoft on x64 Windows Vista Update Microsoft seems to be in need of some education related to its Windows Update practices and Symantec seems more than happy to oblige it. The issue is related to the 64-bit editions of Windows Vista and the mandatory driver signing mitigation introduced by Microsoft in order to safeguard the operating system's core from unsigned code. All kernel modules on systems running the x64 editions of Windows Vista must feature digital signatures. In the absence of a digital signature, kernel-level software and especially drivers for the x64 operating system will not be able to load. Essentially, driver signing is a mitigation designed to verify the validity of a certain code author and not a security measure, as Microsoft underlined. But while the Redmond company has locked all unsigned code out of the Vista kernel, driver signing is by no means foolproof. And in this context, the feature has generated some interesting circumvention techniques, but also catalyzed the production of software designed to workaround the protection and load unsigned code into the kernel of 64-bit Vista. Case in point, the Purple Pill authored by Alex Ionescu, kernel developer and reverse engineer, following the Atsiv tool, created by Linchpin Labs & OSR. Both programs offer a way to bypass driver signing on 64-bit Windows Vista. But while Atsiv used legitimate certificates that were subsequently revoked, while the tool was blacklisted by Microsoft as potentially unwanted software, the story with Purple Pill is a little different. Purple Pill in fact involved the use of a vulnerability residing in the ATI Vista x64 Video Driver in order to load unsigned code into the core of the operating system. The tool was taken down by Ionescu as the vulnerability was yet to be patched by AMD ATI. Currently a patch is available via Windows Update for the affected drivers, but is labeled as an optional update by Microsoft. "It is kind interesting that Microsoft is making the update only ‘optional’. One would think that it would be in Microsoft’s best interests to expedite the deployment and thus ability to remove the vulnerable driver or revoke its signing certificate. I suspect they are being massively cautious as a ‘critical’ update would force everyone to download and reboot (if their machines are configured so). If there were any potential stability issues with the new driver, hosing millions of desktops in one go isn’t probably going to win you any friends," commented Ollie Whitehouse, Architect, Symantec Advanced Threat Research. The new versions of the ATI video drivers have been made available since last month, and you also can download the 32-bit and the 64-bit versions. The new releases take care of the vulnerability exploited by the Purple Pill. Still, for the Whitehouse there are a couple of "things still not clear: a) How is Microsoft going to stop the old ATI driver being loaded and exploited by users that do manage to obtain Administrative privileges? b) When is it safe to revoke the signing certificate (I believe it will have used timestamp signing and thus be possible to revoke it only for signed file before a certain date) or add its signature to security software such as antivirus." ------------------

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)