For all the praise Microsoft gave to the Vista kernel, touting it as robust and secure, it has taken quite a beating in the field. Just recently, Microsoft was forced to block a particular program that could result in “kernel compromise”, and even more recently something almost everyone takes for granted has done the same.
An ATI driver for video cards could potentially be used to compromise the kernel in Windows Vista. Apparently, one of the hackers who discovered the flaw had assumed it was already patched and released a tool that demonstrated such. He pulled the tool once he learned the flaw was “in the wild”:
In an interview, Ionescu confirmed his tool was exploiting a vulnerability in an ATI driver — atidsmxx.sys, version 3.0.502.0 — to patch the kernel to turn off certain checks for signed drivers. This meant that a malicious rootkit author could essentially piggyback on ATI’s legitimately signed driver to tamper with the Vista kernel.
Microsoft and AMD/ATI are already working together to fix the issue. Ultimately it was a way to load unsigned drivers into the Vista kernel, which Microsoft is relying on to help prevent a machine from getting compromised by either an enterprising hacker or a legit user wanting to bypass Vista's DRM.
While the security implications here aren't anything unusual, it does beg a question. If it is as easy as loading a signed but faulty driver into Vista to result in compromise, can they really claim they have increased security at all over XP?