Print - Security Vendor Claims Microsoft Is Shutting Out Competition

Security solution provider Agnitum claims that Microsoft's kernel patch protection will shut out competing products unless competitors resort to hacker tactics.

In an article posted to the company's Web site, Agnitum said that because of the way Microsoft designed its kernel patch protection "it will be more complicated for third-party security software companies to install and maintain their software on Windows PCs. In some circumstances, kernel patch protection may even block the installation of third-party security software."

The brunt of the complaint centers around the way some vendors hook into the kernel in order to gain enough control to defend the system against attacks. Agnitum said in order to protect a system developers sometimes resort to patching the kernel. Such a patch might involve changing a service number in the system's Service Dispatch Table so that it points to third-party code. Then when that particular service is called by a program the third-party code is invoked instead of the original kernel code.

But that method of hooking into the lower levels of the operating system won't be possible with the new kernel patch protection, which will be a standard feature of Windows Vista and the upcoming Longhorn server operating systems. Kernel patch protection was introduced with the release of Windows Server 2003 Service Pack 1 for x64 platforms and Windows XP x64 Edition.

According to Microsoft's documentation there is no way to disabled kernel patch protection on a system-wide basis nor for individual applications or drivers. The only way to disable it is to attach a debugger to the system. Microsoft expects developers to use its published application programming interfaces (APIs) in order to gain the functionality required for a given application. However, Agnitum claims that Microsoft's published APIs don't allow developers to gain preemptive on-the-fly control over low level system activity on systems that include kernel patch protection.

In closing its article Agnitum said that "Under Microsoft's proposed solution [of using its published APIs], a rootkit that could previously be detected by and remedied with anti-virus software will now cause the [system to crash]. The same result will occur after installation of security software that is not compatible with kernel patch protection technology. [We] believe this move by Microsoft is designed to force users to rely on Microsoft and only Microsoft for Windows security, removing the option to use third-party security solutions that, if past experience is anything to go by, are likely to be more robust and provide better protection than Microsoft offerings."

In its Kernel Patch Protection FAQ Microsoft said, "The primary motivation for implementing patch protection in Windows is to protect the integrity of the Windows kernel and, as a result, improve the overall reliability, performance, and security of Windows [...] Protecting the integrity of the kernel is one of the most fundamental steps in protecting the entire system from malicious attacks and from inadvertent reliability problems that result from patching. However, it is not a panacea."

Agnitum said that hackers already know how to go around the kernel patch protection and that legitimate software developers who formerly relied on kernel patching techniques might have to adopt hacker tactics in order to maintain the functionality of their software.

This is ridiculous. Every security measure Microsoft tries to add to the OS, someone has to complain about. "Under Microsoft's proposed solution [of using its published APIs], a rootkit that could previously be detected by and remedied with anti-virus software will now cause the [system to crash]." That assumes that the person has anti-virus software, and that it is up to date. The accurate statement is "Under Microsoft's proposed solution [of using its published APIs], a rootkit that could previously **run amok and trash your system** will now cause the [system to crash]." (my changes in asterisks.) A crash is much better than your system being infected by a rootkit.

"This is ridiculous. Every security measure Microsoft tries to add to the OS, someone has to complain about." Exactly! If a security vendor patches the kernel, then system reliability will decrease, no matter how careful they are. Microsoft *should* make its OS impervious to viruses, spyware, rootkits, etc. even if it means antivirus vendors go out of business.

Laugh of the day... " [We] believe this move by Microsoft is designed to force users to rely on Microsoft and only Microsoft for Windows security, removing the option to use third-party security solutions that, if past experience is anything to go by, are likely to be more robust and provide better protection than Microsoft offerings." " Fixing a long-standing security issue is anti - competitive? Maybe the best thing for Microsoft to do is to open the entire lower levels of Windows up to everyone, so antivirus vendors can receive more business. (Who knows? Maybe the EU can force MS to release another "special" edition without the security features!) All these antivirus companies becoming worried about Vista (as in how to find security issues and thus sell their products) is heartening to me. Maybe Vista will *finally* be (nearly) secure!

"is heartening" typo - "are heartening" For those people who put [sic] after every typo...

Microsoft believes kernel patch protection defends code and critical structures in the Windows kernel against modification by unknown code or data. Kernel patch protection stores and periodically verifies checksums of specific kernel memory areas (network components); if a checksum mismatch is found, the result is the dreaded Blue Screen of Death (BSOD). According to Microsoft, this technique should prevent SDT modification and thwart the intentions of a number of rootkits. It's Microsoft's design that will crash the system, AV software that alters the SDT will be seen as a rootkit and BSOD the system, not because of poor quality software, but again because of Microsoft system design changes. Third-party security solutions create a much-needed additional level of protection, and having a variety of these tools available empowers the user while handicapping the hacker. Simply put, it is much harder for malware writers to adapt malicious code for different protection mechanisms from multiple vendors than it is to attack a single-vendor solution that purports to be a universal fix. This is true, else its like putting all your eggs in one basket, you just need to design your malware to beat Microsoft kernel patch protection and your in. Kernel patch protection does complicate rootkit writers' lives. But they can use quick-and-dirty techniques, because they don't need to worry about compatibility with existing system and application software. Again true if your malware crashes on 50% of PC's what do you care, its working on the other 50%.

"Maybe Vista will *finally* be (nearly) secure!" Yes, and then the Easter Bunny and Santa Claus will stop by and give everyone a gift basket filled with chocolate and lollipops, and we'll all ride our pretty pink ponies past the gumdrop waterfalls and candy floss trees of la-la land! "Microsoft security" is the industry's biggest oxymoron. Third-party vendors have done more to shore up this company's swiss-cheese software than Redmond has ever been able to. Yes, I'm hopeful that MS will get it right this time, but then again, I've been hopeful for peace in the Middle East and that hasn't happened yet, either. Anything that prevents third-party vendors from helping secure Windows--or makes it more difficult for them to do so--is a bad idea. I can't for the life of me understand why anyone (outside of the bean counters at Microsoft) would think differently. ------- Wow! Only FIVE refreshes needed to get a usable verification image! Things are improving!

"Anything that prevents third-party vendors from helping secure Windows" If a virus writer or a rootkit writer can use the feature to corrupt Windows, then MS should lock the feature down. Windows *should not* need antivirus/antispyware to secure their system.

I agree with NateB2 on this. Everyone wants Windows to be more secure. So MS starts locking it down, sure, maybe a little later than they should have, but they are doing it. Now everyone is whining. Wah wah wah. Our ram and cpu intensive security software software won't work. GOOD! A secure Windows means you won't have to run Norton or McAfee's system hogging C R A P on your machine. Here's hoping they can pull it off.

"Windows *should not* need antivirus/antispyware to secure their system." I agree. I also know that where there's no market, there's no product, and there's a helluva lot of security products out there. MS has done a horrible job with security, hence the need for third parties to step in. I sincerely doubt that Vista is going to render them useless. We'll see. ------ Image verification refreshes: FIVE

Kernel patch protection would've stopped the installation of the Sony rootkit. The rootkit part of it, at least. It still would've installed the DRM driver, it just would not have been masked. They've done KPP for x64 versions of Windows because there is no backwards compatiblity needed for those new OSes (at the kernel level). It's too bad, with all the other security changes in x86 Vista, that they didn't do KPP for x86 as well.

Witness what you can do on a Mac and no other: http://www.youtube.com/watch?v=CtJMNekPAEU

Once again, the relevance of bonch's comments to the topic at hand is simply astounding... ---- Image verification refreshes: 0