14 DAY TRIAL // The 64-bit version of Microsoft's most secure Windows platform to date has had a rough time lately. The mitigations set in place to safeguard the operating system's core came under a heavy barrage of fire exposing the flawed design of the security model designed to prevent unsigned code to load into the kernel. Two different technologies watch over x64 Vista's core: mandatory driver signing and PatchGuard. Microsoft, through the voice of Russ Humphries, a senior program manager with the company's security team, revealed that the two technologies are meant to be complementary, but that in this context, they are not conjoined. Additionally, Humphries emphasized the fact that the update of Kernel Patch Protection is not connected with the recent hacking fiesta of Driver Signing.
At Black Hat 2007 in Las Vegas, Joanna Rutkowska, security researcher and CEO of Invisible Things Labs, demonstrated how faulty AMD ATI and Nvidia drivers can permit loading unsigned kernel mode code. This of course is not the only example. Linchpin Labs & OSR released a tool called Atsiv at the end of July, enabling the loading of legacy drivers in x64 Vista.
The utility made use of a legitimately certified 64-bit Vista driver in order to load unsigned code into the operating system's kernel. Microsoft subsequently revoked the compromised driver certificate and added signatures to Windows Defender to fend off Atsiv. The Purple Pill also falls in the category of tools breaking the kernel Driver Signing protection, only that this time around it made use of a vulnerability in an ATI driver to bypass code signing requirements.
Concomitantly with AMD releasing an update for the flawed ATI driver, Microsoft offered its own update for PatchGuard "adding checks to Kernel Patch Protection for increased resiliency in Windows." Even though the releases were almost simultaneous, Microsoft stated that there is no connection, and on top of that, revealed that the Kernel Patch Protection update is not a security refresh.
"Perhaps the mix up is due to a confluence of events, or - put another way - the fact that we released an update to KPP at the same time that news about an ATI Driver issue appeared. The update to KPP has no relationship to the ATI driver issue or recent topics related to code signing. These are unrelated events! Microsoft issued a non-security update for Kernel Patch Protection. Microsoft was made aware of an issue reported in an ATI driver that is potentially vulnerable. Microsoft was in contact with ATI to help address this issue and ATI have posted a fix in the v7.8 Catalyst Package (ATI x64 Vista; ATI x86 Vista)," Humphries commented.