(Driver Signing <> Kernel Patch Protection) AND (KPP <> Driver Signing)
So I am reading a lot of stories that seem to have confused, or incorrectly aligned, Windows Vista driver signing and Kernel Patch Protection technologies. Whilst driver signing and KPP are complimentary, they are not conjoined.
Driver signing provides a method to better identify the author/creator of a piece of software or code so that the author/creator can be approached in the event a reliability issue, vulnerability, or malware is discovered. Signing is not designed to confirm the “intent” of signed code (i.e. good or bad), or whether exploitable bugs or malicious code is present. Malicious or exploitable kernel drivers can lead to system compromise beyond disabling of code signing controls, since kernel driver code has access to hardware as well as all programs running as the user.
Kernel Patch Protection (KPP) helps protect code and critical structures in the Windows kernel from modification. Microsoft updates KPP periodically, based on internal and external research. You can read more about KPP here:
Perhaps the mix up is due to a confluence of events, or – put another way – the fact that we released an update to KPP at the same time that news about an ATI Driver issue appeared. The update to KPP has no relationship to the ATI driver issue or recent topics related to code signing.
These are unrelated events!
1: Microsoft issued a non-security update for Kernel Patch Protection (KPP), and an accompanying security advisory: Microsoft Security Advisory (932596)
2: Microsoft was made aware of an issue reported in an ATI driver that is potentially vulnerable. Microsoft was in contact with ATI to help address this issue and ATI have posted a fix in the v7.8 Catalyst Package that can be found here:
I would like to highlight that the driver in question was not shipped ‘in-box’.