Purple Pill beats Windows Vista’s 64-bit driver authentication

Purple Pill, a utility software that can by-pass the new anti-rootkit/anti-DRM defense mechanism built into the 64-bit Vista kernel, has been released, downloaded 39 times and then removed more than an hour later.
Alex Lonescu has confirmed reports that his utility software was exploiting the earlier reported ATI driver flaw to patch Vista kernel to turn off certain checks for signed drivers which means any malicious rootkit authors could piggyback on ATI’s legitimately signed driver to tamper with the Vista kernel.
Ionescu pulled the utility after realizing that the ATI driver vulnerability, which Purple Pill used as a proof of concept, is yet to be patched.
A spokesman for Microsoft disclosed that the company is working with ATI on the driver flaw issue and once fixed the company will assist in getting the fix delivered to its OS users.
“To the best of our knowledge, Purple Pill was a proof of concept demonstration tool that was available for a very limited time and is no longer available,” the spokesman said.
Since Purple Pill piggybacks on a security certificate for a hardware driver that’s installed in 50 per cent of laptops, it cannot be addressed as easily as the of Atsiv exploit, where Microsoft simply revoked LinchpinLabs’ certificate on Atsiv and issued a signature for Windows Defender categorizing Atsiv as malicious.
Ollie Whitehouse, a security researcher at Symantec told The Register that “What ATI is probably going to have to do is get a new certificate, sign fixed versions of all their affected drivers, and release them via Windows Update. Only then can Microsoft get VeriSign to revoke the signing certificate.”