Faulty ATI and Nvidia Drivers Can Lead to a Complete Takeover of 64-bit Vista

Faulty drivers from ATI and Nvidia are the right way to a complete takeover of 64-bit Windows Vista by circumventing the operating system's additional security mitigations designed to prevent unsigned code being loaded into the platform's core. This scenario was demonstrated at Black Hat 2007 in Las Vegas by security researcher Joanna Rutkowska, Founder/CEO of InvisibleThingsLab. Mandatory driver signing in 64-bit Vista is a security measure implemented to prevent malicious code being loaded into the platform's kernel, a technique specific of rootkits. However, Rutkowska proved that the x64 Vista driver signing mitigation can be bypassed.

And in this context, emphasis has to fall on the fact that Vista is not entirely to blame. The fact of the matter is that a potential attacker could use faulty drivers as a key to the operating system's core. Rutkowska limited her demonstration to code released by AMD's ATI and Nvidia. But if two of the worlds most prominent graphics hardware makers managed to produce low quality drivers, permitting an eventual exploit to gain access to 64-bit Vista's core, then what does that tell you about the rest of the companies being able to access driver signing certificates.

"There are thousands, maybe tens of thousands of third-party drivers that are poorly written and could be a problem," Rutkowska estimated as cited by InternetNews, although her examples involved the ATI Catalyst driver and the NVIDIA nTune Driver. "The whole problem in NVIDIA is that the driver doesn't do the proper checks and can do a write for an arbitrary registry. The attacker could just include it as part of their own rootkit and then use it to exploit Vista. It doesn't matter whether it's a popular driver or not. We can bring it to the target system and exploit it."

The security measures set in place in 64-bit Vista to help mitigate the loading of unsigned kernel-mode code on the system are rendered useless by faulty third party code. But Microsoft's own security mechanism can be bypassed just as easily. A driver certificate that will only cost an attacker $250. And with a legitimate driver certificate for x64 Vista, access to the kernel will no longer represent an issue. "We can now sign whatever we want," Rutkowska commented. "No one can prove that I intentionally built a bug."