August 10, 2006 2:55 PM PDT
Windows defense handcuffs good guys
- Related Stories
-
Piecing together Windows Vista
November 8, 2006 -
Symantec picks away at Vista's core
August 9, 2006 -
Symantec continues Vista bug hunt
July 24, 2006 -
Chills at Microsoft's security huddle
July 24, 2006 -
Rootkits get better at hiding
July 18, 2006 -
Microsoft swims upstream on security
June 22, 2006 -
Microsoft shakes up security fray
June 7, 2006 -
Beware the Microsoft 'monoculture'
May 18, 2006 -
Intel's VPro to boost security
April 24, 2006 -
Symantec won't 'whine' about Microsoft
October 11, 2005 -
Microsoft launches 64-bit Windows
April 25, 2005 -
AMD unveils details of its 64-bit chip
September 23, 2003
Microsoft designed PatchGuard to safeguard core parts of Windows, including Vista, against malicious code attacks. But some security companies say that the feature makes it harder for them to protect Windows PCs, as it locks them out of the kernel, the core of the operating system.
"PatchGuard is hurting security vendors more than it is hurting malware writers," Bruce McCorkendale, a chief engineer at Symantec, told CNET News.com in an interview Wednesday. "There are types of security policies and next-generation security products that can only work through some of the mechanisms that PatchGuard prohibits."
Symantec is not alone in its complaints, but it is the largest security company to speak out publicly. Sana Security and Agnitum, two smaller vendors, said they share its concerns, but giants Cisco Systems and McAfee declined to comment for this story.
Microsoft defends the technology, which applies only to 64-bit versions of Windows. Cybercrooks have found ways to exploit the kernel for malicious purposes, making the protection offered by PatchGuard key to securing the operating system, said Stephen Toulouse, a program manager in Microsoft's Security Technology Group.
"It is more important to prevent the installation of malicious software than it is to allow third-party vendors, no matter what the software, to extend the kernel," Toulouse said. "This is not specific to security software. This is a global change to 64-bit Windows to provide a more security computing experience."
Microsoft's push into the security market has put many defense providers on guard. Symantec, especially, looks wary; it has said it will compete with Microsoft as long as there is a level playing field. Now, for the first time, Symantec is saying that Microsoft is limiting the security choices of consumers--which could be interpreted as anticompetitive behavior.
"PatchGuard will make it harder for third parties, particularly host intrusion prevention software, to function in Vista," said Yankee Group analyst Andrew Jaquith. "Third parties have two choices: continue to petition Microsoft to create an approved kernel-hooking interface so products like theirs can work, or use 'black hat' techniques to bypass the restrictions."
Barriers to the kernel
PatchGuard debuted a year ago in Windows XP x64 Edition, but the technology was never broadly adopted. That's set to change when Windows Vista hits store shelves in January, analysts expect. As people buy PCs with 64-bit processors use of the 64-bit edition of Windows will increase.
In particular, PatchGuard inhibits host intrusion prevention products, security vendors and analysts said. These "HIPS" products are an upcoming class of security software that determines whether a program is malicious by looking at its behavior, rather than using the classic signature-based approach, which checks a program against a database of known threats.
On top of this, PatchGuard blocks features to protect against tampering with security tools, McCorkendale said. Malicious programs increasingly try to disable security software, and the tamper-protection features aim to prevent that.
"There is a whole bunch of companies out there that have pioneered next-generation security, that are limited by PatchGuard," McCorkendale said.
There's another "disturbing side effect," according to a Symantec blog posting. While legitimate security vendors can no longer make extensions to the Vista kernel, attackers have already found ways to disable and work around PatchGuard, it says.
Sana Security and firewall maker Agnitum sounded a similar alarm.
"Bad guys can bypass PatchGuard today," said Vlad Gorelik, chief technology officer at Sana Security, which makes host intrusion prevention software. "Microsoft has this assumption that if you put a shield in, the bad guys will stay out. That is not the way it works. But now they force security vendors to bring a knife to a gun fight."
The barrier to the Windows kernel forces security companies to adopt hacker tactics, Gorelik said. "We will have to come up with alternative mechanisms for doing the same thing," he said. "In some cases, we can actually take a page out of the bad guys' text book and bypass PatchGuard."
With PatchGuard, Microsoft is effectively taking control of security for the Windows core, Gorelik said. Previously, third parties could also provide defenses for that part of the operating system, he said. Now, if PatchGuard breaks, it will be up to Microsoft to fix the flaw and make Windows PCs secure.
"They would have to patch the kernel if someone bypasses PatchGuard," Gorelik said, noting that the kernel is the toughest thing to fix in the operating system.
See more CNET content tagged:
kernel, Stephen Toulouse, Symantec Corp., 64-bit, security
69 comments
Join the conversation! Add your comment (Log in or register)
competition. </sarcasm>
the general business and technology folks, this may be news for them... but for sure its known about between the circles of the underground elite hackers (elite hackers means elite hackers, not kiddies)
You see, I had been serious considering upgrading to a full 64 bit machine when Vista finally gets around to shipping, but if they're going to make it impossible to secure my computer, I have to reconsider.
Harry Voyager
First off this a BETA...yes BETA...BETA...BETA. Some things in this BETA will be fixed before shipping.
Second thing most of these comments come from MS rivals who are feeling the heat from MS offering their own securit tools. Most will cry monopoly and unfair play by MS....these same people will say MS products are full of holes and they need to patch them. MS cant win.
Lastly I think AV products makers are just scare mongers out to scare you into buying their products.
Hackers.....are just a total waste of air and take everything for society and give nothing back...someone should set off a tactical nuke at the next Black Hat convention and take out most of them with one shot.
I have been buying AV products for years at home and for the corporations I have worked at. I have never gotten a virus at home...but being in IT all my life I have my home enviroment always patched and locked down. At work I have seen a few outbreaks and 99.9% of the time they could have been prevented with either good administration or proper patching. MS gets fixes out fast for most of their products and warns the world to apply them.
I think the AV/security vedor buisness is 90% BS!
the general business and technology folks, this may be news for them... but for sure its known about between the circles of the underground elite hackers (elite hackers means elite hackers, not kiddies)
They would direct their experts to wait for the launch and shipment of Vista before making announcements :D
I think Symantec live in a love / hate relationship with regards of making money out the bad guys and hating their eh-fing gutts
They would direct their experts to wait for the launch and shipment of Vista before making announcements :D
I think Symantec live in a love / hate relationship with regards of making money out the bad guys and hating their eh-fing gutts
Symantec has been prone to Vista Hysteria lately. It seems to me that they are overreacting.
As you can tell, I trust them even less than I do Microsoft.:-)
Bruce, you should fix your own bloatware psuedo software, before whining about someone elses. Symantec and Big Steaming Pile, synonymous.
The steps MS is taking are good ones, even if they software is not perfected. If they can find a way to secure the kernal without making it too secure, then it will be a large step in protecting those ignorant users who fall prone to being clones in a DDoS attack. However, you can not make a computer foolproof unless you cut the cat5 between the pc and the internet. So, how far do they go?
Do I see this as them trying to compete with McAfee, Norton, etc? No. I see this as MS trying to bring to market a more secure O/S to remove the lable they have worn over the last 10 years. Basically its like an engineer trying to design a secure building to prevent break-ins. However, you still have to have doors to allow those who are supposed to be in access. And for that, there will always be the threat of break ins. Its a catch 22 with the ignorant users caught in the midst.
They have less viruses(last count:0) because they were designed that way. The recent media hype regarding "hacks" into OSX boxes have proved to be very disingenous, if not downright dishonest. Put any computer in a LAN and give the "hacker" the root credentials, and yes you can hack it. Put it on the internet and use the default settings, with a firewall, a proper password, and good luck. The viruses you have been hearing about are theoretical, not something out in the wild.
Windows has more viruses(last count: 543523432+) because they are designed that way. It is also very eay to hack into, also by design.
Let me guess, your idea of a good firewall is the MS firewall in XP, ya know the one that blocks incoming but allows all outgoing(including all the dastardly programs that windows flaws let piggyback in on legit data.
Your claim is so ridiculous, it would be funny if ignorance were funny.
A few steps they are taking are good ones(like finally catching up to the decades old idea of a true multi-user system, which is one reason why *nix is so damn secure), but many are half-baked at best. Like moving critical system processes in memory to one of 512 static places, that is an amaterish security "fix" and I am being generous. That "innovation" will be hacked and exploited within 3 days of Vista being released, if that day ever comes.
BTW, how can a kernel(do you even know what that is?) be "too secure"?
You are right about one thing: "Its a catch 22 with the ignorant users caught in the midst.", with you smack dab in the middle of the ignorant users.
The historical problem with Windows is the scripting systems
and internal message authentication.
Since Windows was stupidly designed as a networked OS and not
provided with enough security, it was easy for a hacker to send
you an email which automatically launches a script as if
someone were typing at the keyboard as Admin, let it raid your
Outlook address book, install an application, turn you into a
mail server, populate itself to all your other Windows user
friends, record everyone's actions, send back any 16 digit
numbers you type in... on and on.
Unix and everything after Windows NT are network OSs,
meaning if you make any network connection, you're in the
kernel. Security depends upon how well you can contain the
input from a network connection. Unix usually launches a
process that dies immediately after it's done - doesn't persist
and wait for the next command. The old Mac OS had networking
as a layer on top of the OS and you needed the password to get
to the OS. That's one reason why there were only 40 viruses for
the old Mac OS.
Windows RELIES on the ability of applications to talk to each
other freely and make system calls without restriction. Hackers
are just using those abilities for themselves.
Those paths largely don't exist in Linux or OS X. Sure, there are
patches to fix problems all the time - it's electronic warfare,
after all - but LInux and OS X have a HUGE jump on Windows.
Unlike Windows which runs as root (Admin) and will happily run
whatever you tell it, the majority of exploits the common Linux
or Mac user will encounter would require someone to be at the
keyboard with the Admin password to install it first. Windows
can be made to attack itself with four lines of code.
You want security? Encrypt the important stuff on your computer
and be done with it.
I fix many people's computers (most often destroyed by viruses and spyware) and end up having to reinstall windows. A lot. There's 2 things about this that make me want to cry. The lack of base security and install times.
Vista cuts down install time, so that's one problem down. Now there's argument over securing the kernal. What? This is what thousands of windows users have been crying for since windows 98. Wouldn't you like to install a fresh operating system on a computer, and then NOT have to go out and download antivirus, antispyware, and a 3rd party firewall (the MS one is a joke)?
So Symantec McCrappyProduct is having problems adapting to a secure (cross our fingers) O/S? Tough. If they were concerned about people and not profit, they wouldn't be in buisness. I don't want to continue my initial boot ritual of downloading 50 programs to try to secure a hole-filled O/S. If I could convince non-tech-savvy people to switch to Macs I would, but compatability with jobs and refusal to learn a new O/S is like a 20ft cement wall.
If MS actually secures Vista to a reasonable degree, I can do without 3rd party security support, and so can the majority of the non-tech-savvy people who are suckered into paying for extra security, or are otherwise forced to reinstall windows every 2 months.
"I don't care even if it is anti-competitive at this point, I just want a secure O/S for once. "
Making a kernel that is more difficult to secure does not make it more secure. There is no such thing as an "over secure kernel". If something has been "secured" to a point it is unusable, it is just that - unusable.
Security starts from bottom up, from the kernel, to user environment, to applications, to user education.
"Wouldn't you like to install a fresh operating system on a computer, and then NOT have to go out and download antivirus, antispyware, and a 3rd party firewall (the MS one is a joke)?"
I would like the choice of doing this or not. If M$ do intend to use anti-competitive practices then I would be against it as it affects my ability as a consumer to make a choice.
The main problem I have with lots of people's attitude with security and Windows is their need to fuzz the whole subject into a neat tidy single solution. Security is a moving target, it doesn't matter how many patches are out there for a system. What matters is the cause of the problem and how it is dealt with and how quickly.
Lots of security issues with XP with to do with the nature of XP such as the need for an administrator account for day to day use, or the lack of distinction between trusted and untrusted applications. The list goes on and on, and not just for M$. The point is if you truly believe the statement of "I don't care even if it is anti-competitive at this point, I just want a secure O/S for once. " with regards to an inaccessible kernel to third parties. You deserve a bucket of sand to stick your head in to protect you from all those nasty things out there.
<a class="jive-link-external" href="http://www.techknowcafe.com/content/view/603/43/" target="_newWindow">http://www.techknowcafe.com/content/view/603/43/</a>
Stupidity issues a warning to update Windows when it's now announced that the Windows defense has more holes in it to give hackers easier access. Huh?
Good one, idiots! Dept of Homeland Stupidity is more of a threat to U.S. citizens.
Imagine that we outlaw gas engines and mandate that everyone switch to electric. The private security companies that protect buildings will not be able to keep up with the crooks that, since they are breaking the law anyway, do not care that gas engines are illegal and use them anyway. The Dodge Viper outruns the golf cart every day, and the only people not able to keep up are those following the law.
We can get rid of Symantec then think about getting rid of Microsoft later, but one at a time :)
I'm in support of Microsoft on this one, you rock.
If theres anything I can do to help in Symantec's destruction (legally), then throw me an e-mail.
Cheers.
We can get rid of Symantec then think about getting rid of Microsoft later, but one at a time :)
I'm in support of Microsoft on this one, you rock.
If theres anything I can do to help in Symantec's destruction (legally), then throw me an e-mail.
Cheers.
Why is it then, we don't see through it when the media reports one of its tired Microsoft storylines? For the newcomers, I'll name three - "Microsoft can't ship software on time," "Microsoft code is not secure", "Microsoft is using its monopoly for evil purposes."
Anyone ever wonder if things aren't that simple?Yeah, I'm sure Steve Ballmer walked into a meeting with the core OS devs at Microsoft and said, "guys, we need a way to squash all those security vendors we've been working with for years - you know, the ones who have allowed shrinking profits and massive consolidation to serve as excuses for failing to innovate and actually provide useful features for customers while we've been getting a shellacquing in the media over security." And I'm sure all those developers said, "sure Steve, but what should we do about all those stories about Microsoft not being able to ship software on time. Rearchitecting the kernel to put Symantec out of business is going to take some time."
So Microsoft changes some stuff for Vista and Symantec, et al have to port their code forward. Yep - they actually have to try and find a few of those engineers they laid off after the last OS shipped. Also, if they'd all discovered such easy ways around Patchguard, why wouldn't they disclose it? Doesn't that only strengthen their case? I suspect their backdoor is more like, "login as administrator, then replace the kernel with one from the previous beta without patchguard, then hope the OS doesn't detect what you just did."
In terms of the kernel being secure, I think the state of Israel is a really good analogy (whatever your politics). El-Al is the most secure airline in the world. The Mossad is a serious bunch of bad-*****, and the Israeli army is one of the most lethal fighting forces on the planet. Battle-tested is a good thing, and Windows has a lot more time in the trenches than Mac OS.
One time my son was begging me to install that piece of software received from his friend. I checked on Internet and found that it is a trojan. You know what would happen if he had admin privileges.
NT-based Windows is a secure OS (don't laugh). All kernek objects have a security descriptor attached, NTFS files have user-level access rights, etc.
MS advised for long time (since NT 3.0) that any user-modifiable items, like settings, user INI files and data files, go to user-specific profile folder. But most ignorant ISVs (name any software developper, including some divisiong of MS) kept putting user data in Windows and Program files folders.
The problem with Windows XP started when MS, trying to reduce user complaints, gave all new users administrative rights by default. They didn't want complaints about that shiny game (put your favorite name here) to refuse to run. That actually might be fixed by user-level redirection, but didn't happen.
Now we have that any 10 years old sitting in front of Daddy's computer is an administrator. When that web site asks him: "want to install this cool thing?" Yes, of course, I want! Get a piece of malware...
If you run with limited user privileges, you can forget about AV, and so.
The real issue here is how well does Microsoft guard access to the kernel? Do they have the proper API's set up in their OS to allow 3rd parties to dock to the Operating System with Kernel or Kernel similar level access and do they authentication those processes contantly and do they have a special 3rd party certification program which would be required prior to giving such applications kernel or near-kernel access?
Microsoft will say that all of these are coming, but as they are not currently and readily available to 3rd parties... Microsoft is more or less shutting other 3rd party vendors out of the market until their 64-bit version has gained a bit of dominance.
MS will probably claim that it takes time to get all of those ready, but in the mean time... they are forcing others out of the market.
If they wanted to do it right, they should have already had the API's and the 3rd party certifications programs already activated prior to their beta release.
Some applications require kernel or near kernel level access... so blocking them all out is beyond the call of duty. But on the other hand... giving just any application full reign without any security checks/controls is the opposite end of the spectrum.
MS has been on the weak opposite end of the spectrum and now they're switching full swing to the other side of the spectrum which allows nothing.
As more and more complain about it... they'll eventually open that part up and offer similar to what I've mentioned above, but in the mean time... they're ramming their 64-bit version which supports nothing else first until it has enough to make it a near dominant monopoly again and then finally open it up to others... after they've already gained a good lion's share of the market.
Thus this story is not really too far off the mark.
Sure Microsoft needs to make it's OS more secure, but it also requires compatibility with 3rd party products which rival theirs and that's where their push and shove methods start tipping to the monopolistic methods and tactics which they use.
They could have done as I mentioned above... but hey... MS's intent is for them to continue to be the major player and what better way than this... using security as the auspicies to shut others out.
You can still have a secure operating system and allow kernel or near-kernel access... you just have to do it properly... something which Microsoft has decided against at this time but which they will be forced to allow in the future... after they've forced the market yet again!!!
Microsoft has been using ploys like this for ages and thus it's nothing new or unexpected... but it does border on anti-competition which is why sparks are starting to fly.
FWIW
<a class="jive-link-external" href="http://news.com.com/2100-1002-6103949.html?tag=tb" target="_newWindow">http://news.com.com/2100-1002-6103949.html?tag=tb</a>
And, here is an interesting bit of that discussion that I have taken part in...
<a class="jive-link-external" href="http://news.com.com/5208-1002-0.html?forumID=1&threadID=20070&messageID=172840&start=-1" target="_newWindow">http://news.com.com/5208-1002-0.html?forumID=1&threadID=20070&messageID=172840&start=-1</a>
Hope this helps...
That it doesnt even really bear dissecting...
Mostly, it seems to me that, it is ONLY Microsoft, and their SHILLS, that keep demanding everyone believe that such things as MANDATORY "driver signing" - BY MICROSOFT, will in any way "improve security". Almost EVERYBODY ELSE sees this as yet another attempt by Microsoft to CONTROL THE INDUSTRY, and EXTRACT REVENUE. Maybe, you should honestly investigate the "technical arguments" that are being made.
And, as to being "happy" to upgrade...
...Its also a very well known FACT that, MOST OF THE INDUSTRY, seems to think that "Vista" is the MOST DEFINITE "hold-off on buying", on the computer-industry horizon. In fact, more and more people seem to think that "Vista" could be Microsofts BIGGEST-FAILURE, both commercially, ...and "legally".
But, I did like that "billions of mac users" line... It is simply PRECIOUS.
Does Microsoft have the benefit of this collective knowledge? On the face of it, that appears doubtful.
So what happens to the interests of Users?
We had many vendors to choose from - Symantec, McAfee, Kaspersky, Sophos, Panda .........
We could change Vendors whenever we wanted.
In contrast, we must now hope that Microsoft knows enough to do the PC Security job. OTHERWISE - we will have to rely on the old brigade who will now be forced to work "around and against" Microsoft - NOT - with Microsoft.
This certainly does not look like progress.