In my last post on the subject of Vista versus the battle of vulnerable and malicioussigned drivers, I said there was some conjecture about whetherMicrosoft was going to use Windows Update to distribute a patch for avulnerable ATI driver. Elia Florio on our Security Response Operations team in Ireland sent me a link to a notice at ISC which showed this is indeed what they are doing. The link to the AMD notice shows this is indeed meant to resolve the security issue.
It is kind interesting that Microsoft is making the update only‘...
Here is a short update to bring this latest chapter in Vista’s security fairytale finally to a close.
On Monday the 13th of August, ATI patched their Catalyst drivers to resolve the vulnerability that PurplePill exploited. ATI should be commended with the speed and agility theyresponded to the issue, although one has to wonder if Microsoft had ahand in this.
It’s still not clear on how they are going to deal with thedistribution of this update (there's some conjecture around usingWindows Update) and revocation of the old driver. Patching it is onething, but they can’t leave the old driver...
So, in the Future Watch section of the last Internet Security ThreatReport and in our Windows Vista research, we stated that drivers wereincreasingly being attacked and that we would expect this trend tocontinue. We also stated that these third-party drivers posed one ofthe greater areas of exposure to technologies such as driver signing,PatchGuard and general kernel integrity on Windows Vista 64bit. I recently blogged about an example of one third-party hardware driver from ATI and the issues it was causing Microsoft. Before that, I discussed a third-party driver which was specifically designed to allow the loading of arbitrary unsigned kernel drivers.
Anyway, before these came another example, though I've...
The other day, I blogged about the latest happenings in the Atsiv saga. Today I’m providing an update, which I couldn’t have made up even if I tried.
This can only be described as one of those moments that would makeanyone in Microsoft’s situation start to sob. Alex Ionsecu published anentry on his blog (whichsubsequently got pulled) with a supporting tool called Purple Pill.This tool had embedded in it an ATI signed driver that would be droppedto disk and loaded (a similar approach to Atsiv). However it wouldappear that this signed driver contained a design error which allowsyou to use it to load any arbitrary driver even if they are not signed(similar functionality to Atsiv). You can imagine this came about dueto a requirement to extend this core driver with arbitrary modules inATI’...
So Friday before last, I blogged about the Atsiv tool.As a quick refresh this was a tool which implemented its own PE loaderwithin a kernel driver. The authors had gone through the process ofobtaining a signing key for both the 32-bit and 64-bit versions ofWindows Vista for their kernel driver. The result was that it could beused to load arbitrary unsigned driver code including rootkits into theVista kernel.
In the same blog, I stated it would be interesting to see how longit would take for Microsoft to get the certificate revoked. Well theclock officially stopped running last Thursdaywhen Microsoft started shipping a signature in Defender (Symantec alsodetects Atsiv as SecurityRisk.Atsiv) while also asking for...
One of my colleagues, Orlando Padilla,recently ran across a tool by Linchpin Labs & OSR, which allowedunsigned drivers to be loaded on Vista 64-bit. The tool, Atsiv,is interesting since one of the big security features advertised byMicrosoft for Vista 64-bit was the fact that no unsigned code could beloaded into the kernel in order to help mitigate malicious kerneldrivers typically used by rootkits.
When looking at how it did its magic the original .exe contains two resource sections:
DRIVER_BIN32 DRIVER_BIN64
These are actually signed 32-bit and 64-bit drivers. The command linetool loads the appropriate driver, which then in turn allows loading ofunsigned drivers due to the implementation of their own PE loader. Aside effect of using their own load is noted by the authors in theirdesign documentation:...
While speaking with an industry friend recently, he mentioned that he had received some spam. When viewed in plain text, the spam looked like this (the filename has been changed to save the compromised):
However, if you remove the executable from the URL, you get a directory listing:
So, from this we can see the machine had been compromised for two months prior to the malicious code being placed upon the site (one day before my friend received the message). However,...
