Results 1 to 7 of 7

Thread: Windows Vista x64 & kb932596

Hybrid View

  1. #1

    Windows Vista x64 & kb932596

    Taos, a member here and on Exetools, has posted the following warning about an update to Windows Vista 64 and Unsigned Drivers:

    Do not install this update, reason? :
    Be careful of the kb932596 "update" it stops the "bcdedit -set load options DDISABLE_INTEGRITY_CHECKS" option working, that a lot of vista x64 users were using to load unsigned drivers, and the associated MS KB article doesn't see fit to mention the fact that this is probably the only thing this ""update" does. KB932596 definitely breaks unsigned drivers.
    If you use google, you will see a lot problems with this update.

    Fortunately, he also posted a "solution":

    Enter into Programs & characteristics (programas y caracteristicas) under control panel (panel de control) add/remove applications.

    Then see installed updates (ver actualizaciones instaladas). Click on kb932596 and then uninstall. This will remove this bug. ;-) "

    Thanks taos!

    Regards,
    JMI

  2. #2
    Hehe nasty and good to know thx
    Regards,
    LibX // RETeam

  3. #3
    This update adds checks to this protection for increased resiliency in Windows.
    That's the official line. I suppose their idea of "increased resiliency" is to us "make it harder for the user to do what she wants to her own machine"

  4. #4
    Well there is nothing that can't be patched, its just annoying u have to do that over and over again if that part of the OS is updated.
    It seems they also blocked that official signed Atsiv driver now
    Regards,
    LibX // RETeam

  5. #5
    tigerisme
    Guest
    thx good to know!
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    Quote Originally Posted by JMI View Post
    ...
    Do not install this update, reason? :
    ...
    KB932596 definitely breaks unsigned drivers.
    I think, this update is response to "Purple Pill":
    _http://www.symantec.com/enterprise/security_response/weblog/2007/08/driver_signing_on_vista_64_ati.html

    I took a look at it, ATI left a backdoor in one of its drivers (atidsmxx.sys v3.0.502.0)
    to disable signature checks instantly via DeviceIoControl.
    If anybody is interested, I can upload.

    Code:
    ;"\\Device\\AtiDCM"
    ;IoControlCode=22E00Ch
    
    CONTROLBUFF STRUCT
    
    	_rw	 byte ?	;0=read 1=write
    	_offset	qword ? ;offset to r/w =(ntoskrnl.exe base + 1792F8h)
    	_data	dword ? ;data to r/w (==0 to load unsigned driver)
    	_mode	dword ? ;1=byte, 2=word, else=dword (==1 to load unsigned driver)
    	_padding byte ?
    
    CONTROLBUFF ends
    Last edited by neviens; August 22nd, 2007 at 06:12.

  7. #7
    Actually, MSDN Blogs says that the update in question is related to "Kernel Patch Protection" and not the ATI Driver issue. See:

    http://blogs.msdn.com/windowsvistasecurity/archive/2007/08/16/driver-signing-kernel-patch-protection-and-kpp-driver-signing.aspx

    "So I am reading a lot of stories that seem to have confused, or incorrectly aligned, Windows Vista driver signing and Kernel Patch Protection technologies. Whilst driver signing and KPP are complimentary, they are not conjoined.

    Driver signing provides a method to better identify the author/creator of a piece of software or code so that the author/creator can be approached in the event a reliability issue, vulnerability, or malware is discovered. Signing is not designed to confirm the “intent” of signed code (i.e. good or bad), or whether exploitable bugs or malicious code is present. Malicious or exploitable kernel drivers can lead to system compromise beyond disabling of code signing controls, since kernel driver code has access to hardware as well as all programs running as the user.

    "Kernel Patch Protection (KPP) helps protect code and critical structures in the Windows kernel from modification. Microsoft updates KPP periodically, based on internal and external research. You can read more about KPP here:

    http://blogs.msdn.com/windowsvistasecurity/archive/2006/08/11/695993.aspx

    http://www.microsoft.com/whdc/driver/kernel/64bitpatching.mspx

    Perhaps the mix up is due to a confluence of events, or – put another way – the fact that we released an update to KPP at the same time that news about an ATI Driver issue appeared. The update to KPP has no relationship to the ATI driver issue or recent topics related to code signing.

    These are unrelated events!

    1: Microsoft issued a non-security update for Kernel Patch Protection (KPP), and an accompanying security advisory: Microsoft Security Advisory (932596)

    2: Microsoft was made aware of an issue reported in an ATI driver that is potentially vulnerable. Microsoft was in contact with ATI to help address this issue and ATI have posted a fix in the v7.8 Catalyst Package that can be found here:

    http://ati.amd.com/support/drivers/vista64/common-vista64.html,

    http://ati.amd.com/support/drivers/vista32/common-vista32.html

    I would like to highlight that the driver in question was not shipped ‘in-box’.

    Russ Humphries"


    Regards,
    JMI

Similar Threads

  1. Replies: 1
    Last Post: July 27th, 2009, 05:17
  2. Replies: 0
    Last Post: February 23rd, 2009, 14:17
  3. The Windows Vista Issue
    By Daniel Pistelli in forum Blogs Forum
    Replies: 23
    Last Post: January 10th, 2008, 18:00
  4. Latest PVDasm For Windows Vista
    By Bengaly in forum Tools of Our Trade (TOT) Messageboard
    Replies: 0
    Last Post: December 30th, 2006, 09:28
  5. Windows Vista Network Attack Surface
    By 0xf001 in forum Off Topic
    Replies: 0
    Last Post: August 7th, 2006, 08:52

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •