Windows Update used to distribute fixed ATI driver – but it's optional!

In my last post on the subject of Vista versus the battle of vulnerable and malicioussigned drivers, I said there was some conjecture about whetherMicrosoft was going to use Windows Update to distribute a patch for avulnerable ATI driver. Elia Florio on our Security Response Operations team in Ireland sent me a link to a notice at ISC which showed this is indeed what they are doing. The link to the AMD notice shows this is indeed meant to resolve the security issue.

It is kind interesting that Microsoft is making the update only‘optional’. One would think that it would be in Microsoft’s bestinterests to expedite the deployment and thus ability to remove thevulnerable driver or revoke its signing certificate. I suspect they arebeing massively cautious as a ‘critical’ update would force everyone todownload and reboot (if their machines are configured so). If therewere any potential stability issues with the new driver, hosingmillions of desktops in one go isn’t probably going to win you anyfriends.

(Also, just too finally close this set of blog posts (for now) I thought I’d also point out that Alex Ionescu has explained what happened and why he pulled Purple Pill .)

Things still not clear:

a) How is Microsoft going to stop the old ATI driver being loaded andexploited by users that do manage to obtain Administrative privileges?

b) When is it safe to revoke the signing certificate (I believe it will have used timestamp signingand thus be possible to revoke it only for signed file before a certaindate) or add its signature to security software such as antivirus.

Anyway enough from me let the car crash TV continue…