AMD Innoculates “Purple Pill”

Last week, reports of an AMD ATI Catalyst driver vulnerability appeared around the web. The vulnerability affected the ATI Catalyst driver package and triggered by the Purple Pill tool, which was a proof-of-concept, and allowed malicious kernel tampering in Windows Vista.

The Purple Pill came from kernel developer Alex Ionescu.  Ionescu released the tool while not realizing AMD had yet to patch a flaw in its ATI Catalyst driver package. The tool allowed users to load unsigned drivers in Windows Vista. Theoretically, a malicious user could tamper with the Vista kernel using a rootkit that would piggyback to the ATI driver.

“After immediate investigation, AMD determined that a small section of code from one of the files in our installer package is potentially vulnerable,” said Jon Carvill, public relations manager, AMD Graphics Products Group. “We strongly recommend that desktop ATI Radeon graphics users update to Catalyst version 7.8 once it is available on http://ati.amd.com/support/driver.html.”

AMD is not the only company affected by the Purple Pill vulnerabilities, according to Carvill. However, the Purple Pill specifically targeted the vulnerability in the ATI Catalyst package.

A demonstration earlier this month at the Black Hat event in Las Vegas by Joanna Rutkowska revealed NVIDIA’s nTune Driver is vulnerable to the same attack. The NVIDIA driver allowed unchecked reading and writing of registers, according to Rutkowska. An NVIDIA representative was unavailable for comments. During the demonstration, Rutkowska also said any driver could be exploited, whether it was popular or not.

AMD issued a new ATI Catalyst release today to address the Purple Pill exploits. The latest ATI Catalyst also introduces the usual performance improvements and resolved issues.

AMD users can download the latest ATI Catalyst for Windows XP, XP 64-bit, Vista and Vista 64-bit.