Windows IT Pro is the leading independent community for IT professionals deploying Microsoft Windows server and client applications and technologies.
  
  
  Advanced Search 


July 27, 2006

Security Vendor Claims Microsoft Is Shutting Out Competition

A Web Exclusive from WinInfo
Mark Joseph Edwards
WinInfo
InstantDoc #92942
WinInfo
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Security Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!
Security solution provider Agnitum claims that Microsoft's kernel patch protection will shut out competing products unless competitors resort to hacker tactics.

In an article posted to the company's Web site, Agnitum said that because of the way Microsoft designed its kernel patch protection "it will be more complicated for third-party security software companies to install and maintain their software on Windows PCs. In some circumstances, kernel patch protection may even block the installation of third-party security software." 

The brunt of the complaint centers around the way some vendors hook into the kernel in order to gain enough control to defend the system against attacks. Agnitum said in order to protect a system developers sometimes resort to patching the kernel. Such a patch might involve changing a service number in the system's Service Dispatch Table so that it points to third-party code. Then when that particular service is called by a program the third-party code is invoked instead of the original kernel code.

But that method of hooking into the lower levels of the operating system won't be possible with the new kernel patch protection, which will be a standard feature of Windows Vista and the upcoming Longhorn server operating systems. Kernel patch protection was introduced with the release of Windows Server 2003 Service Pack 1 for x64 platforms and Windows XP x64 Edition.

According to Microsoft's documentation there is no way to disabled kernel patch protection on a system-wide basis nor for individual applications or drivers. The only way to disable it is to attach a debugger to the system. Microsoft expects developers to use its published application programming interfaces (APIs) in order to gain the functionality required for a given application. However, Agnitum claims that Microsoft's published APIs don't allow developers to gain preemptive on-the-fly control over low level system activity on systems that include kernel patch protection.

In closing its article Agnitum said that "Under Microsoft's proposed solution [of using its published APIs], a rootkit that could previously be detected by and remedied with anti-virus software will now cause the [system to crash]. The same result will occur after installation of security software that is not compatible with kernel patch protection technology. [We] believe this move by Microsoft is designed to force users to rely on Microsoft and only Microsoft for Windows security, removing the option to use third-party security solutions that, if past experience is anything to go by, are likely to be more robust and provide better protection than Microsoft offerings."

In its Kernel Patch Protection FAQ Microsoft said, "The primary motivation for implementing patch protection in Windows is to protect the integrity of the Windows kernel and, as a result, improve the overall reliability, performance, and security of Windows [...] Protecting the integrity of the kernel is one of the most fundamental steps in protecting the entire system from malicious attacks and from inadvertent reliability problems that result from patching. However, it is not a panacea."

Agnitum said that hackers already know how to go around the kernel patch protection and that legitimate software developers who formerly relied on kernel patching techniques might have to adopt hacker tactics in order to maintain the functionality of their software.





End of Article

Reader Comments
This is ridiculous. Every security measure Microsoft tries to add to the OS, someone has to complain about.

"Under Microsoft's proposed solution [of using its published APIs], a rootkit that could previously be detected by and remedied with anti-virus software will now cause the [system to crash]."

That assumes that the person has anti-virus software, and that it is up to date. The accurate statement is "Under Microsoft's proposed solution [of using its published APIs], a rootkit that could previously **run amok and trash your system** will now cause the [system to crash]." (my changes in asterisks.)

A crash is much better than your system being infected by a rootkit.

PatriotB6007 July 27, 2006 (Article Rating: )

"This is ridiculous. Every security measure Microsoft tries to add to the OS, someone has to complain about."


Exactly! If a security vendor patches the kernel, then system reliability will decrease, no matter how careful they are. Microsoft *should* make its OS impervious to viruses, spyware, rootkits, etc. even if it means antivirus vendors go out of business.

NateB2 July 27, 2006 (Article Rating: )

Laugh of the day...

" [We] believe this move by Microsoft is designed to force users to rely on Microsoft and only Microsoft for Windows security, removing the option to use third-party security solutions that, if past experience is anything to go by, are likely to be more robust and provide better protection than Microsoft offerings." "

Fixing a long-standing security issue is anti - competitive? Maybe the best thing for Microsoft to do is to open the entire lower levels of Windows up to everyone, so antivirus vendors can receive more business. (Who knows? Maybe the EU can force MS to release another "special" edition without the security features!)

All these antivirus companies becoming worried about Vista (as in how to find security issues and thus sell their products) is heartening to me. Maybe Vista will *finally* be (nearly) secure!

NateB2 July 27, 2006 (Article Rating: )

"is heartening"

typo - "are heartening"

For those people who put [sic] after every typo...

NateB2 July 27, 2006 (Article Rating: )

Microsoft believes kernel patch protection defends code and critical structures in the Windows kernel against modification by unknown code or data. Kernel patch protection stores and periodically verifies checksums of specific kernel memory areas (network components); if a checksum mismatch is found, the result is the dreaded Blue Screen of Death (BSOD). According to Microsoft, this technique should prevent SDT modification and thwart the intentions of a number of rootkits.

It's Microsoft's design that will crash the system, AV software that alters the SDT will be seen as a rootkit and BSOD the system, not because of poor quality software, but again because of Microsoft system design changes.

Third-party security solutions create a much-needed additional level of protection, and having a variety of these tools available empowers the user while handicapping the hacker. Simply put, it is much harder for malware writers to adapt malicious code for different protection mechanisms from multiple vendors than it is to attack a single-vendor solution that purports to be a universal fix.

This is true, else its like putting all your eggs in one basket, you just need to design your malware to beat Microsoft kernel patch protection and your in.

Kernel patch protection does complicate rootkit writers' lives. But they can use quick-and-dirty techniques, because they don't need to worry about compatibility with existing system and application software.

Again true if your malware crashes on 50% of PC's what do you care, its working on the other 50%.

notawindowsuser July 28, 2006 (Article Rating: )

"Maybe Vista will *finally* be (nearly) secure!"

Yes, and then the Easter Bunny and Santa Claus will stop by and give everyone a gift basket filled with chocolate and lollipops, and we'll all ride our pretty pink ponies past the gumdrop waterfalls and candy floss trees of la-la land!

"Microsoft security" is the industry's biggest oxymoron. Third-party vendors have done more to shore up this company's swiss-cheese software than Redmond has ever been able to. Yes, I'm hopeful that MS will get it right this time, but then again, I've been hopeful for peace in the Middle East and that hasn't happened yet, either.

Anything that prevents third-party vendors from helping secure Windows--or makes it more difficult for them to do so--is a bad idea. I can't for the life of me understand why anyone (outside of the bean counters at Microsoft) would think differently.

-------

Wow! Only FIVE refreshes needed to get a usable verification image! Things are improving!

lotsamystuff July 28, 2006 (Article Rating: )

"Anything that prevents third-party vendors from helping secure Windows"

If a virus writer or a rootkit writer can use the feature to corrupt Windows, then MS should lock the feature down. Windows *should not* need antivirus/antispyware to secure their system.

NateB2 July 28, 2006 (Article Rating: )

I agree with NateB2 on this.

Everyone wants Windows to be more secure. So MS starts locking it down, sure, maybe a little later than they should have, but they are doing it. Now everyone is whining.

Wah wah wah. Our ram and cpu intensive security software software won't work.

GOOD!

A secure Windows means you won't have to run Norton or McAfee's system hogging C R A P on your machine.

Here's hoping they can pull it off.

sticknick July 28, 2006 (Article Rating: )

Isn't it good news that security vendors hate Vista?

shark47 July 28, 2006 (Article Rating: )

"Windows *should not* need antivirus/antispyware to secure their system."

I agree. I also know that where there's no market, there's no product, and there's a helluva lot of security products out there. MS has done a horrible job with security, hence the need for third parties to step in. I sincerely doubt that Vista is going to render them useless. We'll see.

------

Image verification refreshes: FIVE

lotsamystuff July 28, 2006 (Article Rating: )

 See More Comments  1   2 

You must be a registered user or online subscriber to comment on this article. Please log on before posting a comment. Are you a new visitor? Register now




Top Viewed ArticlesView all articles
Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

2009 Windows IT Pro Editors' Best and Community Choice Awards

Picking a favorite product from an impressive crowd of competitive offerings is never an easy task, and such was the case with our Editors' Best and Community Choice awards this year. ...

WinInfo Short Takes: Week of November 23, 2009

An often irreverent look at some of the week's other news, including some post-PDC some soul searching, a Google Chrome OS announcement and a Microsoft response, Windows 7 off to a supposedly strong start, the Jonas Brothers and Xbox 360, and so much more ...
Security Whitepapers Reducing the Costs and Risks of Branch Office Data Protection

Solving Desktop Management Challenges in Healthcare

Solving Desktop Management Challenges in Education
Related Events Deep Dive into Windows Server 2008 R2 presented by John Savill

Introduction to Identity Lifecycle Manager "2"

Configuration Manager SP1 and R2 Overview

Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys
Related Security Resources Introducing Left-Brain.com, the online IT bookstore
Looking for books, CDs, toolkits, eBooks? Prime your mind at Left-Brain.com

Discover Windows IT Pro eLearning Series!
Clear & detailed technical information and helpful how-to's, all in our trademark no-nonsense format


ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Calculate your savings now
See how SAN is 57% cheaper than DAS over three years

Free CDs Offer Fundamental Content for IT Pros
Are you up to speed on the latest technologies and solutions? Don't miss out on your chance to get up to speed quickly on fundamental, in-depth information on some of the hottest topics in our library of content.

Let Your Users Reset Their Own Passwords: Free Download
Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.


Exchange Server 2010: Deploying Unified Communications - Virtual conference
December 1, 2009 - Free Registration. Build your Unified Communications future on a strong Exchange Server 2010 foundation.

Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide
Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!

Migration, Virtualization, Availability, and Desktop Management
Realize the importance of a workload optimization strategy...it can affect your bottom line!

Deep Dive into VMware vSphere, eLearning Series
Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro DevProConnections IT Job Hound
Left-Brain.com Technology Resource Directory asp.netPRO ITTV Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 © 2009 Penton Media, Inc. Terms of Use | Privacy Statement