The ATI driver flaw was highlighted by Joanna Rutkowska, security researcher and founder of Invisible Things Lab, at the Black Hat conference early this month as an illustration of why the Vista kernel protection doesn?t work.
The flaw was later exploited by a proof-of-concept-tool, Purple Pill, released by security researcher Alex Ionescu, that patches the Vista kernel to turn off certain checks for signed drivers, which means any malicious rootkit author could piggyback on ATI?s legitimately signed driver to tamper with the Vista kernel.
ATI has confirmed the bug, which affects the AMD Catalyst software package and strongly urged users to download the patch, Catalyst version 7.8.
While the bug has been patched, it doesn?t mean that Vista is really secure OS. Considering that there are several hundreds of third-party drivers that are poorly written, the same problem could occur again and again.
In addition, an attacker could make their own malicious driver, get the driver certified to use for an attack.
And because Microsoft has no way of knowing in advance whether a driver has a bug, or has been made explicitly for the purpose of corrupting the Vista kernel, the company needs to come up with a plan on how it can protect its Vista kernel better.