Security solution provider Agnitum claims that Microsoft's kernel patch protection will shut out competing products unless competitors resort to hacker tactics.
In an article posted to the company's Web site, Agnitum said that because of the way Microsoft designed its kernel patch protection "it will be more complicated for third-party security software companies to install and maintain their software on Windows PCs. In some circumstances, kernel patch protection may even block the installation of third-party security software."
The brunt of the complaint centers around the way some vendors hook into the kernel in order to gain enough control to defend the system against attacks. Agnitum said in order to protect a system developers sometimes resort to patching the kernel. Such a patch might involve changing a service number in the system's Service Dispatch Table so that it points to third-party code. Then when that particular service is called by a program the third-party code is invoked instead of the original kernel code.
But that method of hooking into the lower levels of the operating system won't be possible with the new kernel patch protection, which will be a standard feature of Windows Vista and the upcoming Longhorn server operating systems. Kernel patch protection was introduced with the release of Windows Server 2003 Service Pack 1 for x64 platforms and Windows XP x64 Edition.
According to Microsoft's documentation there is no way to disabled kernel patch protection on a system-wide basis nor for individual applications or drivers. The only way to disable it is to attach a debugger to the system. Microsoft expects developers to use its published application programming interfaces (APIs) in order to gain the functionality required for a given application. However, Agnitum claims that Microsoft's published APIs don't allow developers to gain preemptive on-the-fly control over low level system activity on systems that include kernel patch protection.
In closing its article Agnitum said that "Under Microsoft's proposed solution [of using its published APIs], a rootkit that could previously be detected by and remedied with anti-virus software will now cause the [system to crash]. The same result will occur after installation of security software that is not compatible with kernel patch protection technology. [We] believe this move by Microsoft is designed to force users to rely on Microsoft and only Microsoft for Windows security, removing the option to use third-party security solutions that, if past experience is anything to go by, are likely to be more robust and provide better protection than Microsoft offerings."
In its Kernel Patch Protection FAQ Microsoft said, "The primary motivation for implementing patch protection in Windows is to protect the integrity of the Windows kernel and, as a result, improve the overall reliability, performance, and security of Windows [...] Protecting the integrity of the kernel is one of the most fundamental steps in protecting the entire system from malicious attacks and from inadvertent reliability problems that result from patching. However, it is not a panacea."
Agnitum said that hackers already know how to go around the kernel patch protection and that legitimate software developers who formerly relied on kernel patching techniques might have to adopt hacker tactics in order to maintain the functionality of their software.
End of Article
This is ridiculous. Every security measure Microsoft tries to add to the OS, someone has to complain about.
"Under Microsoft's proposed solution [of using its published APIs], a rootkit that could previously be detected by and remedied with anti-virus software will now cause the [system to crash]."
That assumes that the person has anti-virus software, and that it is up to date. The accurate statement is "Under Microsoft's proposed solution [of using its published APIs], a rootkit that could previously **run amok and trash your system** will now cause the [system to crash]." (my changes in asterisks.)
A crash is much better than your system being infected by a rootkit.
PatriotB6007 July 27, 2006 (Article Rating: )
"This is ridiculous. Every security measure Microsoft tries to add to the OS, someone has to complain about."
Exactly! If a security vendor patches the kernel, then system reliability will decrease, no matter how careful they are. Microsoft *should* make its OS impervious to viruses, spyware, rootkits, etc. even if it means antivirus vendors go out of business.
NateB2 July 27, 2006 (Article Rating: )
Laugh of the day...
" [We] believe this move by Microsoft is designed to force users to rely on Microsoft and only Microsoft for Windows security, removing the option to use third-party security solutions that, if past experience is anything to go by, are likely to be more robust and provide better protection than Microsoft offerings." "
Fixing a long-standing security issue is anti - competitive? Maybe the best thing for Microsoft to do is to open the entire lower levels of Windows up to everyone, so antivirus vendors can receive more business. (Who knows? Maybe the EU can force MS to release another "special" edition without the security features!)
All these antivirus companies becoming worried about Vista (as in how to find security issues and thus sell their products) is heartening to me. Maybe Vista will *finally* be (nearly) secure!
NateB2 July 27, 2006 (Article Rating: )
"is heartening"
typo - "are heartening"
For those people who put [sic] after every typo...
NateB2 July 27, 2006 (Article Rating: )
Microsoft believes kernel patch protection defends code and critical structures in the Windows kernel against modification by unknown code or data. Kernel patch protection stores and periodically verifies checksums of specific kernel memory areas (network components); if a checksum mismatch is found, the result is the dreaded Blue Screen of Death (BSOD). According to Microsoft, this technique should prevent SDT modification and thwart the intentions of a number of rootkits.
It's Microsoft's design that will crash the system, AV software that alters the SDT will be seen as a rootkit and BSOD the system, not because of poor quality software, but again because of Microsoft system design changes.
Third-party security solutions create a much-needed additional level of protection, and having a variety of these tools available empowers the user while handicapping the hacker. Simply put, it is much harder for malware writers to adapt malicious code for different protection mechanisms from multiple vendors than it is to attack a single-vendor solution that purports to be a universal fix.
This is true, else its like putting all your eggs in one basket, you just need to design your malware to beat Microsoft kernel patch protection and your in.
Kernel patch protection does complicate rootkit writers' lives. But they can use quick-and-dirty techniques, because they don't need to worry about compatibility with existing system and application software.
Again true if your malware crashes on 50% of PC's what do you care, its working on the other 50%.
notawindowsuser July 28, 2006 (Article Rating: )
"Maybe Vista will *finally* be (nearly) secure!"
Yes, and then the Easter Bunny and Santa Claus will stop by and give everyone a gift basket filled with chocolate and lollipops, and we'll all ride our pretty pink ponies past the gumdrop waterfalls and candy floss trees of la-la land!
"Microsoft security" is the industry's biggest oxymoron. Third-party vendors have done more to shore up this company's swiss-cheese software than Redmond has ever been able to. Yes, I'm hopeful that MS will get it right this time, but then again, I've been hopeful for peace in the Middle East and that hasn't happened yet, either.
Anything that prevents third-party vendors from helping secure Windows--or makes it more difficult for them to do so--is a bad idea. I can't for the life of me understand why anyone (outside of the bean counters at Microsoft) would think differently.
-------
Wow! Only FIVE refreshes needed to get a usable verification image! Things are improving!
lotsamystuff July 28, 2006 (Article Rating: )
"Anything that prevents third-party vendors from helping secure Windows"
If a virus writer or a rootkit writer can use the feature to corrupt Windows, then MS should lock the feature down. Windows *should not* need antivirus/antispyware to secure their system.
NateB2 July 28, 2006 (Article Rating: )
I agree with NateB2 on this.
Everyone wants Windows to be more secure. So MS starts locking it down, sure, maybe a little later than they should have, but they are doing it. Now everyone is whining.
Wah wah wah. Our ram and cpu intensive security software software won't work.
GOOD!
A secure Windows means you won't have to run Norton or McAfee's system hogging C R A P on your machine.
Here's hoping they can pull it off.
sticknick July 28, 2006 (Article Rating: )
Isn't it good news that security vendors hate Vista?
shark47 July 28, 2006 (Article Rating: )
"Windows *should not* need antivirus/antispyware to secure their system."
I agree. I also know that where there's no market, there's no product, and there's a helluva lot of security products out there. MS has done a horrible job with security, hence the need for third parties to step in. I sincerely doubt that Vista is going to render them useless. We'll see.
Kevin Johnson, the man most directly responsible for current and future versions of Windows, as well as Windows Live and Microsoft's online services, is leaving the company for a position at Juniper Networks. Johnson has been co-president or president ...
Shortcut Guide to SQL Server Infrastructure Optimization With right tools and techniques, you can have a top-performing SQL Server infrastructure without having to cram your data centers so that they're overflowing. Download this eBook to learn how.
WinConnections Conference Fall 2008 Don’t miss the premier event for Microsoft IT Professionals in Las Vegas, November 10-13. Register and book your room by August 25 and receive a FREE room night (based on a three night minimum stay).
Continuous Data Protection and Recovery for Exchange Read this white paper to learn about Continuous Data Protection (CDP), Exchange 2007's local continuous replication and cluster continuous replication features.
Rev Up Your IT Know-How with Our Recharged Magazine! The improved Windows IT Pro provides trusted IT content with an enhanced new look and functionality! Get comprehensive coverage of industry topics, expert advice, and real-world solutions—PLUS access to over 10,000 articles online. Order today!
Tips to Managing Messaging Discover three fundamental mail and messaging management services - security, availability and control services - and how you can implement them in a Microsoft-centric mail and messaging environment.
Get It All with Windows IT Pro VIP Stock your IT toolbox with every solution ever printed in Windows IT Pro and SQL Server Magazine plus bonus Web-exclusive content on hot topics. Subscribe to receive the VIP CD and a subscription to your choice of Windows IT Pro or SQL Server Magazine!
Solving PST Management Problems In this white paper, read about the top PST issues and how to administer local/network PST files.
Are You Litigation Ready? Collecting and processing electronic data for e-discovery can be time-consuming and expose a business to significant legal risks. Get prepared with this free white paper
Order Your Fundamentals CD Today! Gain an introduction to Exchange, learn server security requirements, and understand how unified communications can play a role in your messaging strategies with this free Exchange CD.
KVM over IP Solutions Learn about a KVM over IP solution that is specifically designed to meet the needs of the distributed IT environment.
)
)
)
Register
"Under Microsoft's proposed solution [of using its published APIs], a rootkit that could previously be detected by and remedied with anti-virus software will now cause the [system to crash]."
That assumes that the person has anti-virus software, and that it is up to date. The accurate statement is "Under Microsoft's proposed solution [of using its published APIs], a rootkit that could previously **run amok and trash your system** will now cause the [system to crash]." (my changes in asterisks.)
A crash is much better than your system being infected by a rootkit.
PatriotB6007 July 27, 2006 (Article Rating: