Graphics drivers are malware compliantDAAMIT, Nvidia fail to stick to specBy Wily Ferret: Friday 03 August 2007, 10:08AN INSECURITY expert presenting at Black Hat yesterday succeeded in illustrating the incredible danger posed by Windows Vista drivers - and fingered ATI and Nvidia as having particularly badly written drivers.Joanna Rutkowska is a leader in the field of virtualisation technology and demonstrated a hack dubbed 'Blue Pill' at last year's Black Hat, the annual hacker conference held in Las Vegas. Using Vista's built-in virtualisation technology, Blue Pill was designed to work as malware, executing itself on boot to give itself hypervisor privileges in the Vista virtualisation system - effectively gaining control of the system in a way that Windows itself could never hope to detect, thus becoming the ultimate rootkit.Whilst Microsoft claimed to have closed off that exploit for the final release of Vista, there are still plenty of ways to attack Windows Vista and install malicious rootkits, which her presentation yesterday proved. By using the Nvidia driver as a proxy for writing code to the kernel, she showed how a rootkit was able to bypass Vista's kernel protection system, which claims to prevent unsigned and unreliable code causing problems."The whole problem in Nvidia," Rutkowska explained, "Is that the driver doesn't do the proper checks and can do a write for an arbitrary registry." By failing to check what it's writing, it's possible for hackers to attach code and have it written into the registry by the Nvidia driver.It's not just Nvidia's problem, or even ATI's - although both were singled out as particularly bad examples of driver writing. "There are thousands, maybe tens of thousands of third-party drivers that are poorly written and could be a problem," Rutkowska said.What's worse is that the drivers were so badly written, and their architecture so poorly designed, that a user doesn't even have to have an Nvidia or ATI graphics card installed with the driver to take advantage - it's enough simply to include the driver file with any other job lot of code, stick it anywhere on the C: drive, then proceed to use it as an attack vector.There's more Black Hat coverage over here, but nothing at the conference seems to be quite as revealing as this presentation. Can Nvidia and ATI go back to the drawing board and re-write their drivers to avoid being a massive malware attack vector? Given the problems they appear to ahve getting Vista working properly at all, we're not entirely confident.Neither Nvidia nor ATI, Daamit, were able to offer up coherent comments when we asked them to this morning. µ
u know... she aint that bad looking, if yuh factor in the whole "female uber hacker" aspect lolthough she aint acid burn, thas for sure
ATI patches "purple pill"24 hours from start to fixBy Charlie Demerjian: Sunday 12 August 2007, 10:40THERE IS A VISTA exploit called Purple Pill that targets Vista through graphics drivers. It made a lot of news last week among the security and hacker communities, but how the affected companies responded is quite illuminating.The way it works is if a vulnerability exists in a driver, since the driver has kernel level access, a moronic design decision on MS's part that we will all pay for over the next few years, attack code can load into the kernel and run rampant. Without getting too much into the joke that is Vista security window dressing, lets just say from that point on, there is pretty much nothing you can do.The current exploit was said to be a flaw in a graphics driver, and was later revealed to be an ATI driver flaw, specifically an exploit in the installer. The interesting point is not that a graphics driver, or any kernel level driver flaw can expose a system, it is how quickly ATI reacted to it.According to ATI, it was first notified that its drivers were at fault last Thursday, and as of late Friday, there was still a chance that the fixed drivers could be posted that day. At worst, the patched drivers would be upped on Monday.The problem centres on the installer rather than the driver, about 4MB of the approximately 35MB package. In a day or so, the flaw was found, patched, tested and posted. [Edit: It looks like the Catalyst 7.7s are now up, so I guess it is Monday] Since the drivers themselves are not changed, only the peripheral programs, they will still be labeled Catalyst 7.8, and scores should not change.What is comes down to is that a minor bug in a driver installer can own a box, this is a Microsoft problem, not an ATI or Nvidia problem. Both companies can be used to poke a nose into a joke of an MS security model, but rather than holding the messenger's feet to the fire, we should put the blame where it is due, in Redmond.As a side note, I wonder how NV would react to this situation. Its past reactions to bad news seems to be to shoot the messenger, and I wonder if that carries over to security as well. Since the hot exploit path to Vista for the next few months will be GPU related, I am sure we will find out. Won't this be fun to watch. µ
