August 10, 2006 2:55 PM PDT
Windows defense handcuffs good guys
- Related Stories
-
Piecing together Windows Vista
November 8, 2006 -
Symantec picks away at Vista's core
August 9, 2006 -
Symantec continues Vista bug hunt
July 24, 2006 -
Chills at Microsoft's security huddle
July 24, 2006 -
Rootkits get better at hiding
July 18, 2006 -
Microsoft swims upstream on security
June 22, 2006 -
Microsoft shakes up security fray
June 7, 2006 -
Beware the Microsoft 'monoculture'
May 18, 2006 -
Intel's VPro to boost security
April 24, 2006 -
Symantec won't 'whine' about Microsoft
October 11, 2005 -
Microsoft launches 64-bit Windows
April 25, 2005 -
AMD unveils details of its 64-bit chip
September 23, 2003
Microsoft designed PatchGuard to safeguard core parts of Windows, including Vista, against malicious code attacks. But some security companies say that the feature makes it harder for them to protect Windows PCs, as it locks them out of the kernel, the core of the operating system.
"PatchGuard is hurting security vendors more than it is hurting malware writers," Bruce McCorkendale, a chief engineer at Symantec, told CNET News.com in an interview Wednesday. "There are types of security policies and next-generation security products that can only work through some of the mechanisms that PatchGuard prohibits."
Symantec is not alone in its complaints, but it is the largest security company to speak out publicly. Sana Security and Agnitum, two smaller vendors, said they share its concerns, but giants Cisco Systems and McAfee declined to comment for this story.
Microsoft defends the technology, which applies only to 64-bit versions of Windows. Cybercrooks have found ways to exploit the kernel for malicious purposes, making the protection offered by PatchGuard key to securing the operating system, said Stephen Toulouse, a program manager in Microsoft's Security Technology Group.
"It is more important to prevent the installation of malicious software than it is to allow third-party vendors, no matter what the software, to extend the kernel," Toulouse said. "This is not specific to security software. This is a global change to 64-bit Windows to provide a more security computing experience."
Microsoft's push into the security market has put many defense providers on guard. Symantec, especially, looks wary; it has said it will compete with Microsoft as long as there is a level playing field. Now, for the first time, Symantec is saying that Microsoft is limiting the security choices of consumers--which could be interpreted as anticompetitive behavior.
"PatchGuard will make it harder for third parties, particularly host intrusion prevention software, to function in Vista," said Yankee Group analyst Andrew Jaquith. "Third parties have two choices: continue to petition Microsoft to create an approved kernel-hooking interface so products like theirs can work, or use 'black hat' techniques to bypass the restrictions."
Barriers to the kernel
PatchGuard debuted a year ago in Windows XP x64 Edition, but the technology was never broadly adopted. That's set to change when Windows Vista hits store shelves in January, analysts expect. As people buy PCs with 64-bit processors use of the 64-bit edition of Windows will increase.
In particular, PatchGuard inhibits host intrusion prevention products, security vendors and analysts said. These "HIPS" products are an upcoming class of security software that determines whether a program is malicious by looking at its behavior, rather than using the classic signature-based approach, which checks a program against a database of known threats.
On top of this, PatchGuard blocks features to protect against tampering with security tools, McCorkendale said. Malicious programs increasingly try to disable security software, and the tamper-protection features aim to prevent that.
"There is a whole bunch of companies out there that have pioneered next-generation security, that are limited by PatchGuard," McCorkendale said.
There's another "disturbing side effect," according to a Symantec blog posting. While legitimate security vendors can no longer make extensions to the Vista kernel, attackers have already found ways to disable and work around PatchGuard, it says.
Sana Security and firewall maker Agnitum sounded a similar alarm.
"Bad guys can bypass PatchGuard today," said Vlad Gorelik, chief technology officer at Sana Security, which makes host intrusion prevention software. "Microsoft has this assumption that if you put a shield in, the bad guys will stay out. That is not the way it works. But now they force security vendors to bring a knife to a gun fight."
The barrier to the Windows kernel forces security companies to adopt hacker tactics, Gorelik said. "We will have to come up with alternative mechanisms for doing the same thing," he said. "In some cases, we can actually take a page out of the bad guys' text book and bypass PatchGuard."
With PatchGuard, Microsoft is effectively taking control of security for the Windows core, Gorelik said. Previously, third parties could also provide defenses for that part of the operating system, he said. Now, if PatchGuard breaks, it will be up to Microsoft to fix the flaw and make Windows PCs secure.
"They would have to patch the kernel if someone bypasses PatchGuard," Gorelik said, noting that the kernel is the toughest thing to fix in the operating system.
See more CNET content tagged:
kernel,
Symantec Corp.,
intrusion prevention,
Stephen Toulouse,
64-bit
competition. </sarcasm>
the general business and technology folks, this may be news for them... but for sure its known about between the circles of the underground elite hackers (elite hackers means elite hackers, not kiddies)
You see, I had been serious considering upgrading to a full 64 bit machine when Vista finally gets around to shipping, but if they're going to make it impossible to secure my computer, I have to reconsider.
Harry Voyager
First off this a BETA...yes BETA...BETA...BETA. Some things in this BETA will be fixed before shipping.
Second thing most of these comments come from MS rivals who are feeling the heat from MS offering their own securit tools. Most will cry monopoly and unfair play by MS....these same people will say MS products are full of holes and they need to patch them. MS cant win.
Lastly I think AV products makers are just scare mongers out to scare you into buying their products.
Hackers.....are just a total waste of air and take everything for society and give nothing back...someone should set off a tactical nuke at the next Black Hat convention and take out most of them with one shot.
I have been buying AV products for years at home and for the corporations I have worked at. I have never gotten a virus at home...but being in IT all my life I have my home enviroment always patched and locked down. At work I have seen a few outbreaks and 99.9% of the time they could have been prevented with either good administration or proper patching. MS gets fixes out fast for most of their products and warns the world to apply them.
I think the AV/security vedor buisness is 90% BS!
the general business and technology folks, this may be news for them... but for sure its known about between the circles of the underground elite hackers (elite hackers means elite hackers, not kiddies)
They would direct their experts to wait for the launch and shipment of Vista before making announcements :D
I think Symantec live in a love / hate relationship with regards of making money out the bad guys and hating their eh-fing gutts
They would direct their experts to wait for the launch and shipment of Vista before making announcements :D
I think Symantec live in a love / hate relationship with regards of making money out the bad guys and hating their eh-fing gutts
Symantec has been prone to Vista Hysteria lately. It seems to me that they are overreacting.
As you can tell, I trust them even less than I do Microsoft.:-)
Bruce, you should fix your own bloatware psuedo software, before whining about someone elses. Symantec and Big Steaming Pile, synonymous.
The steps MS is taking are good ones, even if they software is not perfected. If they can find a way to secure the kernal without making it too secure, then it will be a large step in protecting those ignorant users who fall prone to being clones in a DDoS attack. However, you can not make a computer foolproof unless you cut the cat5 between the pc and the internet. So, how far do they go?
Do I see this as them trying to compete with McAfee, Norton, etc? No. I see this as MS trying to bring to market a more secure O/S to remove the lable they have worn over the last 10 years. Basically its like an engineer trying to design a secure building to prevent break-ins. However, you still have to have doors to allow those who are supposed to be in access. And for that, there will always be the threat of break ins. Its a catch 22 with the ignorant users caught in the midst.
They have less viruses(last count:0) because they were designed that way. The recent media hype regarding "hacks" into OSX boxes have proved to be very disingenous, if not downright dishonest. Put any computer in a LAN and give the "hacker" the root credentials, and yes you can hack it. Put it on the internet and use the default settings, with a firewall, a proper password, and good luck. The viruses you have been hearing about are theoretical, not something out in the wild.
Windows has more viruses(last count: 543523432+) because they are designed that way. It is also very eay to hack into, also by design.
Let me guess, your idea of a good firewall is the MS firewall in XP, ya know the one that blocks incoming but allows all outgoing(including all the dastardly programs that windows flaws let piggyback in on legit data.
Your claim is so ridiculous, it would be funny if ignorance were funny.
A few steps they are taking are good ones(like finally catching up to the decades old idea of a true multi-user system, which is one reason why *nix is so damn secure), but many are half-baked at best. Like moving critical system processes in memory to one of 512 static places, that is an amaterish security "fix" and I am being generous. That "innovation" will be hacked and exploited within 3 days of Vista being released, if that day ever comes.
BTW, how can a kernel(do you even know what that is?) be "too secure"?
You are right about one thing: "Its a catch 22 with the ignorant users caught in the midst.", with you smack dab in the middle of the ignorant users.
The historical problem with Windows is the scripting systems
and internal message authentication.
Since Windows was stupidly designed as a networked OS and not
provided with enough security, it was easy for a hacker to send
you an email which automatically launches a script as if
someone were typing at the keyboard as Admin, let it raid your
Outlook address book, install an application, turn you into a
mail server, populate itself to all your other Windows user
friends, record everyone's actions, send back any 16 digit
numbers you type in... on and on.
Unix and everything after Windows NT are network OSs,
meaning if you make any network connection, you're in the
kernel. Security depends upon how well you can contain the
input from a network connection. Unix usually launches a
process that dies immediately after it's done - doesn't persist
and wait for the next command. The old Mac OS had networking
as a layer on top of the OS and you needed the password to get
to the OS. That's one reason why there were only 40 viruses for
the old Mac OS.
Windows RELIES on the ability of applications to talk to each
other freely and make system calls without restriction. Hackers
are just using those abilities for themselves.
Those paths largely don't exist in Linux or OS X. Sure, there are
patches to fix problems all the time - it's electronic warfare,
after all - but LInux and OS X have a HUGE jump on Windows.
Unlike Windows which runs as root (Admin) and will happily run
whatever you tell it, the majority of exploits the common Linux
or Mac user will encounter would require someone to be at the
keyboard with the Admin password to install it first. Windows
can be made to attack itself with four lines of code.
You want security? Encrypt the important stuff on your computer
and be done with it.
I fix many people's computers (most often destroyed by viruses and spyware) and end up having to reinstall windows. A lot. There's 2 things about this that make me want to cry. The lack of base security and install times.
Vista cuts down install time, so that's one problem down. Now there's argument over securing the kernal. What? This is what thousands of windows users have been crying for since windows 98. Wouldn't you like to install a fresh operating system on a computer, and then NOT have to go out and download antivirus, antispyware, and a 3rd party firewall (the MS one is a joke)?
So Symantec McCrappyProduct is having problems adapting to a secure (cross our fingers) O/S? Tough. If they were concerned about people and not profit, they wouldn't be in buisness. I don't want to continue my initial boot ritual of downloading 50 programs to try to secure a hole-filled O/S. If I could convince non-tech-savvy people to switch to Macs I would, but compatability with jobs and refusal to learn a new O/S is like a 20ft cement wall.
If MS actually secures Vista to a reasonable degree, I can do without 3rd party security support, and so can the majority of the non-tech-savvy people who are suckered into paying for extra security, or are otherwise forced to reinstall windows every 2 months.
"I don't care even if it is anti-competitive at this point, I just want a secure O/S for once. "
Making a kernel that is more difficult to secure does not make it more secure. There is no such thing as an "over secure kernel". If something has been "secured" to a point it is unusable, it is just that - unusable.
Security starts from bottom up, from the kernel, to user environment, to applications, to user education.
"Wouldn't you like to install a fresh operating system on a computer, and then NOT have to go out and download antivirus, antispyware, and a 3rd party firewall (the MS one is a joke)?"
I would like the choice of doing this or not. If M$ do intend to use anti-competitive practices then I would be against it as it affects my ability as a consumer to make a choice.
The main problem I have with lots of people's attitude with security and Windows is their need to fuzz the whole subject into a neat tidy single solution. Security is a moving target, it doesn't matter how many patches are out there for a system. What matters is the cause of the problem and how it is dealt with and how quickly.
Lots of security issues with XP with to do with the nature of XP such as the need for an administrator account for day to day use, or the lack of distinction between trusted and untrusted applications. The list goes on and on, and not just for M$. The point is if you truly believe the statement of "I don't care even if it is anti-competitive at this point, I just want a secure O/S for once. " with regards to an inaccessible kernel to third parties. You deserve a bucket of sand to stick your head in to protect you from all those nasty things out there.
http://www.techknowcafe.com/content/view/603/43/
Stupidity issues a warning to update Windows when it's now announced that the Windows defense has more holes in it to give hackers easier access. Huh?
Good one, idiots! Dept of Homeland Stupidity is more of a threat to U.S. citizens.
Imagine that we outlaw gas engines and mandate that everyone switch to electric. The private security companies that protect buildings will not be able to keep up with the crooks that, since they are breaking the law anyway, do not care that gas engines are illegal and use them anyway. The Dodge Viper outruns the golf cart every day, and the only people not able to keep up are those following the law.
We can get rid of Symantec then think about getting rid of Microsoft later, but one at a time :)
I'm in support of Microsoft on this one, you rock.
If theres anything I can do to help in Symantec's destruction (legally), then throw me an e-mail.
Cheers.
We can get rid of Symantec then think about getting rid of Microsoft later, but one at a time :)
I'm in support of Microsoft on this one, you rock.
If theres anything I can do to help in Symantec's destruction (legally), then throw me an e-mail.
Cheers.
Why is it then, we don't see through it when the media reports one of its tired Microsoft storylines? For the newcomers, I'll name three - "Microsoft can't ship software on time," "Microsoft code is not secure", "Microsoft is using its monopoly for evil purposes."
Anyone ever wonder if things aren't that simple?Yeah, I'm sure Steve Ballmer walked into a meeting with the core OS devs at Microsoft and said, "guys, we need a way to squash all those security vendors we've been working with for years - you know, the ones who have allowed shrinking profits and massive consolidation to serve as excuses for failing to innovate and actually provide useful features for customers while we've been getting a shellacquing in the media over security." And I'm sure all those developers said, "sure Steve, but what should we do about all those stories about Microsoft not being able to ship software on time. Rearchitecting the kernel to put Symantec out of business is going to take some time."
So Microsoft changes some stuff for Vista and Symantec, et al have to port their code forward. Yep - they actually have to try and find a few of those engineers they laid off after the last OS shipped. Also, if they'd all discovered such easy ways around Patchguard, why wouldn't they disclose it? Doesn't that only strengthen their case? I suspect their backdoor is more like, "login as administrator, then replace the kernel with one from the previous beta without patchguard, then hope the OS doesn't detect what you just did."
In terms of the kernel being secure, I think the state of Israel is a really good analogy (whatever your politics). El-Al is the most secure airline in the world. The Mossad is a serious bunch of bad-*****, and the Israeli army is one of the most lethal fighting forces on the planet. Battle-tested is a good thing, and Windows has a lot more time in the trenches than Mac OS.
One time my son was begging me to install that piece of software received from his friend. I checked on Internet and found that it is a trojan. You know what would happen if he had admin privileges.
- It's been known for long
-
by alegr
August 11, 2006 3:25 PM PDT
- The AV companies have known it long time ago. MS have been discouraging using kernel hooks for long time, since it negatively impacts system stability. Those should have been replaced by FS filters. AV companies just been too lazy to fix their crap.
-
Reply to this comment
-
See all 69 Comments >>