So, in the Future Watch section of the last Internet Security ThreatReport and in our Windows Vista research, we stated that drivers wereincreasingly being attacked and that we would expect this trend tocontinue. We also stated that these third-party drivers posed one ofthe greater areas of exposure to technologies such as driver signing,PatchGuard and general kernel integrity on Windows Vista 64bit. I recently blogged about an example of one third-party hardware driver from ATI and the issues it was causing Microsoft. Before that, I discussed a third-party driver which was specifically designed to allow the loading of arbitrary unsigned kernel drivers. Anyway, before these came another example, though I've only just gotaround to blogging about it. Why is it a good example? Well it was in acommon open-source driver which is signed by a third-party and usedpretty widely by the technical community. The driver is WinPCap, the packet-sniffing driver used by tools such as WireShark. The vulnerability is a bug that allowed arbitrary kernel memory to be written to. If we look at the change log from WinPCap:
Version 4.0, 29 jan 07Added support for Vista x64 by digitally signing all the binaries of the WinPcap distribution.
Version 4.0.1, 03 jul 07Bug fixing:Fixed a bug in the dispatcher of the BIOCGSTATS IOCTL that caused aBSOD if the parameters passed from user level were invalid. This fixaddresses a security vulnerability reported by the iDefense Labs.