Once again security researcher Joanna Rutkowska took the stage at Black Hat, and once again she set out to prove in glorious detail how to exploit and attack Microsoft Windows Vista.

This year she brought a new pill and a few more tricks to take Vista to task. "I'm going to talk about Vista kernel protection and why it doesn't work," Rutkowska boldly declared to the overflow crowd.

She then read a quote from Microsoft's Vista documentation that stated that even users with admin privileges cannot load unsigned kernel-mode code on the system. Then she smiled mischievously.

"There are thousands, maybe tens of thousands of third-party drivers that are poorly written and could be a problem," Rutkowska said.

She then displayed two examples, both from video drivers companies, to prove her point. In her view both the ATI Catalyst driver and the NVIDIA nTune Driver are bad in that they could be used as an attack vector to circumvent Vista kernel protection.

With the NVIDIA driver, Rutkowska alleged that the driver was able to read and write registers without any additional checks.

"The whole problem in NVIDIA is that the driver doesn't do the proper checks and can do a write for an arbitrary registry."

To add further insult to injury, the target machine doesn't even need to have the bad driver on the system in order for the attacker to use it as an attack vector.

"The attacker could just include it as part of their own rootkit and then use it to exploit Vista," Rutkowska said. "It doesn't matter whether it's a popular driver or not. We can bring it to the target system and exploit it." Full Article