Driver Signing on Vista 64 – ATI Isn’t Getting a Christmas Card This Year

The other day, I blogged about the latest happenings in the Atsiv saga. Today I’m providing an update, which I couldn’t have made up even if I tried.

This can only be described as one of those moments that would makeanyone in Microsoft’s situation start to sob. Alex Ionsecu published anentry on his blog (whichsubsequently got pulled) with a supporting tool called Purple Pill.This tool had embedded in it an ATI signed driver that would be droppedto disk and loaded (a similar approach to Atsiv). However it wouldappear that this signed driver contained a design error which allowsyou to use it to load any arbitrary driver even if they are not signed(similar functionality to Atsiv). You can imagine this came about dueto a requirement to extend this core driver with arbitrary modules inATI’s design. However this has now come back and bitten them, and moreso Microsoft, quite badly.

(Just to clarify: the bug in the ATI driver is the ability to doarbitrary memory writes. This is used to allow the loading of unsigneddriver via the standard loading mechanism.)

What should Microsoft do? Revoke a signing certificate for ahardware driver that’s in 50 percent of laptops? Do nothing? Cry? Go tothe pub? This will truly be like watching a mini soap opera slowlyunfold.

What ATI is probably going to have to do is get a new certificate, signfixed versions of all their affected drivers, and release them viaWindows Update. Only then can Microsoft get VeriSign to revoke thesigning certificate. My stopwatch has started…

FYI: Symantec is detecting Purple Pill as Hacktool.Purpload. Alsothanks to Eric Chien, Matt Conover and Peter Ferrie for input for thisblog entry.