The ati driver allowed a backdoor...

so they certified a root module and loaded uncertified dll-s into the driver. This allowed a faster development cycle, because they didn't have to ask microsoft's certification for every patch they made. On the other side, doing the same process correctly slowed down nvidia's developement. What ati did was to intentionally disable security with a backdoor.

This feature is not new, we had a driver like this for win2k and winxp. Used by hobbysts to open hardware port access to user mode programs, so a program that used the hardware without drivers could be ported from dos to windows console mode without writing a kernel driver. The driver just disabled io and/or memory protection by patching the control structures of the nt kernel.

The problem with driver security is an architectural one. If they used a proper hypervisor then code could not be loaded and executed without the hypervisor checking it first. The problem with this is that very few pc-s could run hardware virtualization and have a working tpm chip with intel's efi installed. Actually the only such hardware are intel macs and even they don't really use this feature. (only used for copyright checks during boot and for itunes drm) This is why microsoft decided to opt for cooperative security instead, requiring nice behaviour from every kernel module. For a true tpm system, only the hypervisor have to be trusted and wired into the hardware. (another problem on a pc is to get the windows hypervisor burned into the cpu during manufacturing, so far only xbox360-s have this feature)