Purple Pill: What Happened

Two weeks ago, I posted and published about a tool I wrote called Purple Pill, which used a bug in the ATI Vista x64 Video Driver to allow unsigned drivers to load. Within an hour, I pulled off the tool and the post, on my own accord, due to the fact I discovered ATI was not made aware of this particular flaw, and I wanted to follow responsible disclosure and allow ATI to fix their driver.

This flaw was especially severe, as it could be used for other purposes — including allowing a guest user access to a SYSTEM token, if the user was using a computer with an ATI Video Card. Therefore, it could have significant security implications beyond my original goal of bypassing Driver Signing on 64-bit Vista. On systems without the driver, administrative privileges would be required for any kind of attack. I originally thought this flaw had been reported to ATI since it was disclosed publically at Blackhat — something that’s usually only done once the presenter has notified the company. In this case, it seems this was not done, and I made an incorrect assumption. I should’ve checked the status of the flaw on my own, before posting the tool and I apologize for not having done so.

As for the act of bypassing driver signing, while I still disagree with Microsoft’s policy of not allowing users to set a permanent policy to explicitly allow this (at their own risk, perhaps even voiding support/warranty options), I have come to realize that attacking this policy isn’t the way to go. Microsoft has decided that Code Integrity is a new part of their security model and it’s not about to go away. Using kernel bugs to subvert it means that these measures would eventually be fixed, while exploiting 3rd party drivers potentially allows malware to figure out how to do this as well, and use the 3rd party driver maliciously. It is also a method that can be protected against, since Vista does have the ability to do per-driver blocking, and once the 3rd party vendor has upgraded all the customers, the older driver can be killed (or even shimmed against, since various kernel infrastructure in Vista allows for this kind of real-time patching).

I am currently exploring other avenues for allowing open source drivers to function on 64-bit Vista without requiring developers to pay for a certificate and deal with the  code signing authorities, while still respecting Vista’s KMCS policy, and continuing to protect against malicious drivers using such a method for their own gain. It is my hope to find a solution which will both please Microsoft and the KMCS policy, as well as make life easy for open source developers (and other non-commercial hobbyists) which for whatever reason don’t want to, or cannot, pay for a certificate.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.