August 9, 2006 3:01 PM PDT

Symantec picks away at Vista's core

In a third and final report on Windows Vista, Symantec examined the security of the operating system core and found some vulnerabilities.

Vista includes several barriers designed to prevent malicious code from gaining access to the operating system core or kernel. These enhancements are "quite substantial" and result in a "dramatic reduction" of the overall attack surface of the operating system, Symantec said in a report published Tuesday.

"However, we have identified certain weaknesses in the kernel enhancements that may be leveraged by malicious code to undermine these improvements," Matthew Conover, principal security researcher at Symantec, wrote in the report titled "Assessment of Windows Vista Kernel-Mode Security" (click for PDF).

Vista, slated to be broadly available in January, will be the first new version of Windows for PCs since XP, which was released in 2001. Microsoft has put a strong emphasis on security in Vista and promotes it as its most secure version of Windows yet.

Microsoft dismissed Symantec's report as old news, because the research is based on a Vista build released several months ago. "Microsoft has been progressing toward the final release of the product and has released subsequent builds that have addressed the majority of the issues identified in this report," a Microsoft representative said.

The Symantec report focuses on the 64-bit version of Vista, which has more kernel security features than the 32-bit version. Conover looked at build 5365 of Vista, released in April, for the report. "There have been security-related changes in subsequent builds, and we expect more changes up until the final release candidate," he noted.

In the report, Conover claims it is possible to circumvent several of the techniques Microsoft designed to protect the Vista core from malicious code. For example, the "PatchGuard" feature that checks the integrity of key parts of the kernel code can be disabled, according to the report.

Also, an attacker could disable a mechanism to block unsigned driver software to run on Vista PCs by "patching" core operating system files, Conover wrote. Malicious drivers pose a serious threat because they run at a low level in the operating system. Last week another researcher attacked the same Vista security feature at the Black Hat event in Las Vegas.

Microsoft thanked Symantec for its feedback, even though the software giant called it "unusual for a partner to provide this amount of analysis and publish its findings on a beta version of Windows Vista."

Traditionally allies, Microsoft and Symantec are now going head-to-head in the security arena. In late May, Microsoft introduced Windows Live OneCare, a consumer security package, and the company is readying an enterprise product. Symantec has sued Microsoft, alleging misuse of data storage technology it licensed to the company.

Earlier Symantec reports on the Vista kernel looked at the networking stack and user account control features of Vista.

See more CNET content tagged:
Symantec Corp., malicious code, Microsoft Windows Vista, researcher, security

21 comments

Join the conversation!
Add your comment
Anybody else spot this?
"Also, an attacker could disable a mechanism to block unsigned driver software to run on Vista PCs by "patching" core operating system files"

There are plenty of unsigned drivers around, I suspect because Microsoft charge a fee of some sort. Is this yet another attempt to leverage the market?
Posted by Jerry Dawson (125 comments )
Reply Link Flag
Actually, that was our first thought...
When we had to "Disable driver-signing", just in order to load the Microsoft-recommended "Anti-Virus" software. And, while reading the "command-line" instructions at Microsofts web-site, also read the statement that being able to disable "driver signing" would ONLY function in "Vista Beta", NOT the "final-release version", we became VERY concerned that this WOULD allow all manner of abuses, and forcible revenue-extraction, by Microsoft.

From a "security" standpoint, simply being required to re-log-in, specifically as an "admin", and then take very-specific-actions, to load "un-signed" software would quite reasonably-preserve system-integrity, without robbing computer-owners, and third-party product-producers, of their basic freedoms.

I think Microsofts action, regarding controlling "unsigned" software is far too heavy-handed and, based upon the decades of abuses by Microsoft, is very worrisome.

And, more to the point, many industry-analysts, consumer-watchdogs, and computer-product developers, have begun saying-so, too.
Posted by Gayle Edwards (262 comments )
Link Flag
Signed drivers
Microsoft distributes strict guidlines that manufactures must follow if they wish to have thier driver approved, then the driver must be submitted to Microsoft for testing. If all works out ok, it becomes approved and depending on the company the driver is added into the installation similar to how you find plug n' play support for most hp printers and linksys network cards.

Generic devices produced by non-brand name companies typically don't have signed drivers because it costs more to make something right than it does to make something that works.

Through group policy un-signed drivers can already be configured as unusable. Just more work for your friendly neighborhood network admin.
Posted by Mr. Network (92 comments )
Link Flag
Now, if Symantec would only...
Now, if Symantec would only analyze and fix their own boated, buggy, software...
Posted by john55440 (1020 comments )
Reply Link Flag
Are they fighting?
Is it just me or is Symantec angry at Microsoft? Lately they seem to be concentrating on making vista's security seem flawed. Is Symantec creating a vista only product to enhance or replace Microsoft's own security?

Symantec's products have their share of problems too. Everyone remember last week's news when one of their products kept telling people that a piece of software used by clergy to make sermons was actually spyware and should be deleted, so they did and then the program stopped working!

HA! That was funny! They had to patch the program and apologize!
Posted by thedreaming (573 comments )
Reply Link Flag
Are they fighting?
>Is it just me or is Symantec angry at Microsoft?<

It looks that way, due to the introduction of Microsoft Windows Live OneCare.

BTW, PC Magazine hates OneCare, calling the antispyware function "not effective in testing."

Shame on Microsoft, again. <sigh>
Posted by john55440 (1020 comments )
Link Flag
You are so right!
You are so right! Even if they're justified, seeing Symantec criticize Microsoft is just hilarious, given the quality of their own product. If Microsoft is really using that much of Symantec's tech---even if it were licensed---I'm that much less likely to upgrade to Vista, simply because Symantec's own software is so unimpressive. The term "streamlined" is obviously something that neither of these companies will ever grasp.
Posted by bogerl (22 comments )
Reply Link Flag
whoops John55440
That should have been a reply to John55440's comment, but I'm a moron and replied to the story. Sigh.
Posted by bogerl (22 comments )
Link Flag
MS does not make $ for signed drivers
The tools to sign drivers are free.

You can pay any trusted authority to provide a certificate chain to validate a driver signature, or (if you wish to do so) you may establish your own trusted authority.

Companies who provide certificate or identity validation (think: verisign) are the ones who get paid to validate driver signatures, not Microsoft.

Signing a driver, once your certificates and trusted roots are in place, takes no more effort than compiling- in fact, all it requires is an additional argument be given to the compiler.

The value this provides is immense: it guarantees the user that the code is what it says it is- that is, it's the binary that was built by the specified vendor and not someone else's file. This allows you to know before running it that it's backed by a real, accountable entity and not some hax0r.

Moving forward, the likely direction security will go is away from the 'look for bad binaries and block them' method, toward the 'only run known good ones' method. We're moving in this direction today with drivers because by their nature they have high permissions. In the future, expect some sort of control like this to occur for programs as well.
Posted by cjooss (1 comment )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.