Vista kernel limits have security vendors on edge

By Dennis Fisher, News Director 11 Aug 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Of specific interest is Vista's PatchGuard feature that prevents any software other than Microsoft's from adding extensions to the Vista kernel, regardless of the intent. This is not only designed to prevent malware from hooking the kernel for nefarious purposes, but it should also stop third-party software from making legitimate extensions to the kernel.

Following the May debut of Microsoft's Windows Live OneCare antivirus, antispyware and security suite, the Redmond, Wash., software giant has executives at other antivirus and security companies on edge.

"I haven't gotten any answers from the Windows engineers as to whether this is a new policy or just something they're doing, but at a company like Microsoft something like this usually happens from the top down," David Thompson, CIO at Symantec, of Cupertino, Calif., said in a recent interview. "What this does is limit our ability to build products that are compatible with Vista. That's bad for customers."

But it's also potentially good for Microsoft. The company for years has relied on Symantec, McAfee Inc., Trend Micro Inc. and CA Inc. to deliver antivirus products for Windows machines, and most PC manufacturers preload one of these vendors' AV suites on new computers. But that model could quickly be going by the wayside, as Microsoft prepares to deliver Vista and works to entice consumers to switch to Windows Live OneCare.

More on Vista security Microsoft still unlocking its security identity Vista security skepticism swells Windows Vista doubles Group Policy's potential Enterprises overly optimistic about Vista security

Other security vendors say they understand why Microsoft is doing what it's doing with PatchGuard and similar kernel-protection technologies, but say that the effects will likely be short-lived.

"Since many programs, including security software, use the kernel in undocumented ways, they had a concern," said Ron O'Brien, senior security analyst at UK-based antivirus firm Sophos plc. "PatchGuard will serve as a deterrent for a period of time, but will be circumvented sooner or later."

Some executives in the security industry, including Symantec CEO John Thompson, have said that they don't fear Microsoft as a competitor. But CIO David Thompson said the company is very aware of the threat that Microsoft poses to its core AV business.

"We absolutely take them seriously. That's a very smart group of people," Thompson said. "But I have a lot of confidence in our team too. We have a very large and very loyal customer base."

PatchGuard has been available on Windows XP x64 Edition for some time, but its inclusion in Vista will be its first wide release. In a blog post this week discussing the kernel mode security in Windows, Oliver Friedrichs, director of emerging technologies at Symantec, expressed many concerns about PatchGuard and its implications.

"Another disturbing side effect of this technology is that while legitimate security vendors can no longer make extensions to the Vista kernel (any attempt to circumvent these security features may only work temporarily), researchers and attackers can, and have, already found ways to disable and work around PatchGuard," Friedrichs wrote. "These new technologies, along with Microsoft's unwillingness to make compromises in this area, have serious implications for the security industry as a whole."

A source at Microsoft, who asked not to be named, said the company has no agenda that would justify preventing other security vendors from making compatible products; it is simply trying to lock down the Vista kernel as tightly as possible.

Tags: Windows Security: Alerts, Updates and Best Practices,  Information Security Laws, Investigations and Ethics,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Windows Security: Alerts, Updates and Best Practices Microsoft to address flaws in Windows, Office for Mac Microsoft fixes security update that breaks Internet Explorer What is the best database patch management process? Microsoft addresses critical SMBv2 flaw, fixes record number of flaws Microsoft to address SMB zero-day, IIS FTP Service vulnerabilities Microsoft releases temporary fix for SMB2 zero-day vulnerability Microsoft issues SMB vulnerability advisory, patch pending Attackers target Microsoft IIS; new SMB flaw discovered Microsoft repairs Windows media, TCP/IP vulnerabilities Microsoft five critical updates won't include IIS Information Security Laws, Investigations and Ethics Melissa Hathaway urges more cooperation, government attention to cybersecurity Cybersecurity czar candidate questions clout of new position DHS fills National Cybersecurity Center post FTC shutters rogue ISP for hosting malicious content, botnets Experts optimistic of Obama cybersecurity plan WH cybersecurity plan needs private sector guidance Obama announces creation of cybersecurity coordinator position Cybersecurity Act of 2009: Power grab, or necessary step? Face-off: Who should be in charge of cybersecurity? Feds should get private sector advice on cybersecurity

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary BotHunter  (SearchSecurity.com) principle of least privilege (POLP)  (SearchSecurity.com) security identifier  (SearchSecurity.com) trusted computing  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary