Microsoft Locking Out Anti-Virus Makers?

twitter writes "Anti-virus makers have more to fear than stonewalling by Microsoft if a report by Agnitum, maker of Outpost Personal Firewall, is right about recent trusted computing changes. All the problems were summarized in a choice Register quote, 'In addressing the potential problem of not being able to install Outpost on new versions of Windows, we have discovered that it is possible to drill past the new security measures introduced by Microsoft - if we use the same techniques used by hackers.'"

ORly?

[Umbral+Blot]

As someone who has written drivers for Windows before I think Microsoft's patch is a step in the right direction. It is simply too easy to spy on the user and hide the driver under the current system. If that means that anti-virus software has to be updated, and has to bug the user with more "are you sure this is OK" boxes ... well tough, sometimes that is the price of security.

Re:ORly?

[tyler.willard]

Ya RLY. Too easy? At ring 0 *everything* is, and should be, visible/alterable. That's the whole point of ring 0 existing in the first place. There is another concern as well: If Redmond locks out 3rd party security and utility vendors from full ring 0 access they become the only ones able to provide the most powerful utilities and security products. As it stands now, SoftICE has been discontinued and sysinternals has been acquired. I don't particularly relish the idea of having to take MS's word for what's happening down in kernel or having theirs being the only powerful security/utility products availble.

Re:ORly?

It's not just a matter of not having the tools... Trusted Computing hardware allows the running of encrypted code. You'll never know what Microsoft is upto, because your own PC hardware works to stop you.

Re:ORly?

[staticsage]

The only problem is no matter how many "are you sure this is OK" boxes you throw at some people, they will still blindly click Yes...

Re:ORly?

[Traiklin]

and I know first hand how easy it is to.

I decided to try out vista one time and it installed and ran perfectly fine on my computer, the only drawback to it was EVERYTIME I wanted to open a folder or program a window would pop up asking me if I was sure I wanted to open it (apperantly Microsoft doesn't even trust themselves cause I was opening Windows Media Player 11 when I got the most windows) after about the 20th popup window asking me if I wanted to open a file I knew was ok I just started clicking yes to see how the damn thing worked.

now, just imagine someone getting to that point when they launch and it's been out for a little while, how many calls will tech support (Dell, Microsoft any company that makes PCs) get from people asking if it's ok to run a microsoft product? how many calls will they get when they accidentally click No to an important option (say their email, they read it wrong and suddenly they no longer can use outlook), how many calls will family members get when their Mother/Father/Uncle/whatever says they don't have a clue if the security warning that microsoft put in place is ok to click Yes or No to when they run WMP, Outlook, IE or any other MS owned programs.

Re:ORly?

[Crayon+Kid]

If Redmond locks out 3rd party security and utility vendors from full ring 0 access they become the only ones able to provide the most powerful utilities and security products.

But how can it be done? From the Agnitum story I for one understood that it's not possible to achieve this.

Sure, they can actually and fully deny access to low level kernel functions to every piece of software, but in that case how will certain things get done? Some stuff needs access to get it's job done. Obviously not a choice.

Or, they can just not document the API (which I get the impression is what they're trying to do now), in which case people will reverse engineer the software that uses it and they'll find out how what they need to know. Malware writers and legit software writers alike.

I'd like a saner alternative, myself. But how can the kernel tell which software is legit and which is not? Should the software present a key? Not really an airtight solution. Should the software ask the user to enter the admin password? Again, can be circumvented and misused.

So, how can one safely regulate access to a machine's lower functions? Deny it all? Allow it all? What if you want something in between?

Re:ORly?

[cheater512]

And the more boxes you throw at them the less likely they are to read it.

/me makes a automatic 'Yes' clicker and sells it for $10.

Re:ORly?

[werewolf1031]

Typical of M$ "security", this change is just another inconvenience to the legitimate user.

This isn't about inconveniencing the legitimate user. It's about inconveniencing the legitimate developer. The black-hat hackers will still get in once they figure out ways around this, and since the legit devs will be locked out by no-reverse-engineering laws, the legit users will be forced to rely on MS and only MS for security. It's another win for MS monopolization in the guise of "enhanced security".

Microsoft is just isolating itself

[The+Real+Toad+King]

By making its kernel and software more closed, they're just locking out new developers and applications. If they keep this up, Windows may only be able to run Microsoft Software.

Re:Microsoft is just isolating itself

[RightSaidFred99]

They're not locking anybody out. It's silly to think that developers should have full access to every single internal structure or API call. It's called "bad design principle". It means they can't change things internally.

The real problem may just be limitations in the API they _ARE_ providing. That's fine, work with them on it. Don't whine that their internal structures and kernel level calls are changing - you are NOT supposed to use those anyway.

Re:Microsoft is just isolating itself

[kripkenstein]

They're not locking anybody out. It's silly to think that developers should have full access to every single internal structure or API call.

Fair enough. But, consider this: do you really believe that developers of Microsoft security products (firewall, antispyware, OneCare, etc.) will NOT have access to whatever API they ask for? That if they need access to one, a technical solution will not be devised?

Re:Microsoft is just isolating itself

[CodeBuster]

Ok, fair enough, but to what extent is Microsoft liable if your attempted hacking, even if your purpose is noble, results in damage to the kernel? If you use a product or modify that product in a way that the manufacturer never intended then how can you say that it is the fault of the manufacturer that your modifications, hacking, or misuse cause the product to fail? The malware writers will of course do what they want and the anti-virus writers have made it their business to try and stop them. However, the anti-virus writers must accept responsibility for their own products even though they don't fully control the underlying system...that was part of the risk they took when they got into the business.

Re:Microsoft is just isolating itself

[DrScott]

Apple may be bundling software, but the difference is that the user is _totally free_ to use competitor's software. I use other browsers, other word processors, and other multimedia software than those supplied by Apple alongside their products. Competitor's software is not crippled. Yet you have no problems defending Microsoft trying to make everybody use only their software. Microsoft was _convicted_ of anti-trust violations in the US and Europe (and is being investigated in other regions too) not because they bundled products, but because they consistently tried to do so in unethicals way that drove competitors out of business.

Re:Microsoft is just isolating itself

[calciphus]

Microsoft never made it difficult / impossible to install a 3rd party media player on any system they've ever made. Nor did they do that with a browser. That's the line fed by money-grubbing anti-trust lawyers to uninformed users.

The primary argument the ACTUAL anti-trust lawsuit was based on was that Microsoft was leveraging the dominance of one product to the advantage of the other, giving it an "unfair competative advantage". The fact that Windows Media Player came pre-installed made paying for a product like Real Networks's RealPlayer (a particualry crappy piece of software, I might add) very unlikely for the average user. When WMP moved from being just a basic media player to including things like playlists, internet streaming (before it was called 'podcasting') and visualizers, it became a competitor for programs like WinAmp and RealPlayer. Anti-trust lawyers argued somewhat successfully that this amounted to Microsoft unfairly leveraging market dominance and discouraging competition.

Now, YOU have no problem arguing that Apple is somehow above this. Let's look at the iPod: Clearly the market leader in mobile media players, they REQUIRE you to install iTunes to load music onto it. They even go so far as to SUE other companies that make software that can download to the iPod (see: RealNetworks, WinAmp iPod plugin, etc). It isn't even for DRM stuff. Just transfering unencrypted files to and from an iPod constitutes a crime (according to Apple legal) if you aren't using iTunes. //technically// using the Windows Explorer to do so is a violation of the "terms and agreements" you apparently agree to when you buy an iPod.

So get off your high horse, Mac Zealot. All that's white and cheap plastic isn't gold.

Re:Microsoft is just isolating itself

[grcumb]

"It's silly to think that developers should have full access to every single internal structure or API call. It's called "bad design principle". It means they can't change things internally."

WTF? I understand what you're getting at, but please think about what you've just written for a second.

It's not at all silly to give developers full access to your system internals, as long as you're clear about the repercussions of using them. In fact, there's a whole bunch of developers using this stuff called FOSS, which is based entirely on this principle.

I know, I know; your point is that if developers depend on a certain implementation, then the vendor is forced to continue supporting it forever, which, according to your reasoning, leaves them with no further room to grow or innovate. Unfortunately, that perspective is just bollocks. FOSS developers deal with this every day, and they've found a perfectly workable process:

Supported APIs are marked as such. Deprecated APIs are marked, too, with the clear warning that past this version, you're on your own. Unsupported interactions with the internals are marked - not fenced, but simply labled Here Be Dragons. You're welcome to venture there if you want, but don't go asking for help if something goes wrong. Most developers benefit from a better understanding of how the whole system works, and can in fact suggest or offer improvements in upstream functionality as well as better implementing their own.

I'd be fascinated to know why you think that things are somehow different for Microsoft than they are for IBM or Novell.

Re:Microsoft is just isolating itself

[cob666]

do you really believe that developers of Microsoft security products (firewall, antispyware, OneCare, etc.) will NOT have access to whatever API they ask for? That if they need access to one, a technical solution will not be devised?

I have a friend that was working on the transactional file system for Vista and I asked him a similar question regarding undocumented APIs. Hi answer was two-fold.
Part 1 of his answer was that normally if a developer requires access to a system process that is not currently exposed via an API then he must request that interface from the development team responsible for that particular system process. This is normally the long way to get something done as this new interface must be documented.
Part 2 of his answer was that MOST undocumented APIs in Windows are actually APIs that were never intended to be included in the released product. A common way for an undocumented API to make it to release would be that a developer requires access to a system process for testing purposes so they have an alternate way to access that process. The interface is designed with the full intention of removing it. Application Developer B finds out about this new interface and actually uses it for the next release of Media Player (or any other Windows application). When the time comes to remove the interface, Developer B informs the group that the interface is being used in a production application and can't be removed.

Just the opposite

[Vampyre_Dark]

Microsoft has actually been bending over the backwards to help the anti-virus companies properly integrate their products into the new windows Vista. The problem comes from miscommunication. Billy is using his new speech-to-text program for all correspondece.

Microsoft's Principles?

[pieterh]

So how does this fit with Microsoft's 12 Windows Principles?

Oh hang on, nowhere in those principles does it mention anything about giving competitors open access to Windows systems. Maybe this one:

"Microsoft is committed to designing and licensing Windows (and all the parts of the Windows platform) on terms that create and preserve opportunities for application developers and Web site creators to build innovative products on the Windows platform -- including products that directly compete with Microsoft's own products."

Translation: We love products that compete with us, so long as they run on Windows, because it just means you're doing the R&D work for us. Hey, that's how we got to be so large, by taking ideas from other people, so why stop now?

Better Summary

[RightSaidFred99]

"Our software doesn't work, we're pissed."

They are basically saying that they want the existing weak kernel model to continue to be supported because at least it allows them to do things they way they have been for a long time. This is, of course, stupid. It's like my locksmith not wanting me to get a new door because his equipment won't work with it, even if the new door theoretically provides the basis for better security long-term.

I'm not saying the new intercept model is great, I'm saying the answer isn't "leave it like it was". Instead of whining, why don't they engage Microsoft and figure out what exactly they need. Regardless of what your average wanker things, Microsoft will NOT be in a good situation if Vista turns out to be a dud security-wise. They want it to work.

They Started With Device Drivers

[LaNMaN2000]

Mirosoft started treating device driver that were not 'certified' for Windows XP differently in the installation process. the certification process is expensive and I have had numerous drivers that generated warning prompts because the manufacturers did not pay the Microsoft tax. I had a feeling that it would only be a matter of time before Microsoft created its own 'digital signature' like process for certifying system or application software.

Re:They Started With Device Drivers

[gnuman99]

It is called "Designed for Windows" program. Yes, applications have to be signed. And yes, you have to send a copy to MS so they can verify if you follow guidelines when they get 1000s of core dumps from your application. Or complaints about spyware and crap.

http://www.microsoft.com/winlogo/default.mspx

Yes, it costs money because you have to buy a digical certificate from Verisign. And send the software on a CD to MS, so a postage stamp there too.

And yes, MS will probably start treating software from unknown vendors differently than those that have registered. But afterall, how can you blame them with all the spyware screensavers and other crap.

We already see digital signatures in Linux like Debian. Untrusted repositories get flagged as "WARNING!! Untrusted source. WARNING!!". Microsoft should be doing the same to protect its user base.

Re:They Started With Device Drivers

[bogado]

If the user can choose on who he trusts, then it is okay. In my fedora computer I can easily install install a new source to my software and say that all packages signed by this source is okay to go in. I can also de-install a default source if they show that they are not trustworthy.

If the windows user has the same set of choices, then it is okay, but if MS is the only one who can bless application to install or run without warnings in the windows plataform and there is nothing I joe user can do to change this, then I believe it is a problem.

Just imagine if MS will give its blessing to all the open source software that is available now for windows. The answer is no, and the author will probably naver even ask for such bless for the simple fact the it will cost money. Now if the windows user could just say to his system that the software package with the signature of that John Doe who happen to signs all kinds of open source software and distributes them in his site, then it is fine. Just like I can install software from Livna that packages software that redhat simply don't want, and will never do, to distribute due to legal problems.

cry me a river

[r00t]

Binary patching a kernel is just plain wrong. It's an unstable hack.

You're supposed to patch the kernel source and recompile. Oh...

Re:cry me a river

[Opportunist]

If you apply an unstable hack to an unstable hack, is the result stable?

Microsoft can barely keep up with patching IE...

[TheNoxx]

How exactly are they going to keep up with all of the new viruses/trojans/etc released for Vista? I know it's supposed to be "so goddamn secure", but nothing's foolproof, let alone a silly little MS product.

I dread to think how bad the current state of spyware/adware and malicious code would be if MS made themselves the end-all for anti-virus protection in XP. What a monumental fuckup Vista will be.

This is a bogus complaint.

[Dogun]

You can do your antivirus activites just fine using supported methods and interfaces, and it doesn't require patching kernel code.

Filesystem filter driver. Possibly some other filter drivers. Cleaning service. Low-privilege interface. That's all you need.

Making headlines four years from now...

[Sixtyten]

Microsoft's New OS to Run Exclusively Microsoft Products

October 28, 2010

REDMOND, Wash. — Microsoft has just made a last-minute change in plans for it's newest operating system, Windows Vista.

The operating system, scheduled for release this December, will now only run Microsoft products, according to CEO Steve Ballmer.

"This is a very exciting time for us all," announced Ballmer. "For years, end-users have been forced to choose between products by third party developers and Microsoft. Now, they won't have to," he explained.

Ballmer also claims that the new operating system will feature cutting-edge security.

"Because the system will only run Microsoft products, you will continue to see the stability and security you expect of Microsoft," he continued. "And with the new Privacy Protection Advantage software, you can be assured your copy of Windows is genuine, because otherwise all of your hard drives would be erased and appropriate authorities will be dispatched. You couldn't possibly be able to use this system if it wasn't."

Microsoft also recently announced it's new Quality Assurance Software, which is bundled with Windows Vista and is now a required Windows XP update.

"It searches your hard drives for foreign operating systems and deletes them immediately to assure that all of your software on your machine is of uniformly good quality. It also will automatically reinstall Windows on all of your hard drives in case you get tempted and decide to try any lesser operating systems," Ballmer noted.

Old Arguments: Users vs the Monopoly

[buckhead_buddy]

While Linux, BSD, and (past) OSX developers are used to an open kernel, Microsoft has a long tradition of security through obscurity. Microsoft has also not had a problem with rolling over competitors and even collaborators with a lock-out technology when they feel they are in a position to make more money. Those arguments are common and they won't even make a blip on the conciousness of most people.

What would really get Microsoft to pull it's greedy hands out of making "security services" the next extension of its monopoly powers? I think it would be when the Ralph Naders, and liability lawyers take Microsoft becoming the sole provider as admission of making a product with a faulty design and trying to profit from it.

If you want to make Microsoft open it's doors and keep it's hands off the security market, then you need to make noise about this new tactic as being a tacit admission of faulty products and trying to profit from supplying the broken product and the fixes. Perhaps then, Microsoft might be eager to open the kimono for third party or independent review.

Happens every time they change something

[Sycraft-fu]

Prrogrammers are lazy, that's just how it goes. I remember all the Strum und Drang over Windows 2000 and it's new audio model. Basically, MS did a revamp of how audio was handled in 2000. It's a much better model. However it was different from what the pro audio companies were used to so they cryed about it. I had a $600 10-channel pro card at the time. When 2k came out, I wanted to switch. However they had no 2k drivers, you had to install the NT drivers which did work, but were a pain in the ass. They said "There will never be Windows 2000 drivers, 2000 is unsuited to audio."

What they were worked up about was the kernel mixer, a subsystem that introduces 30ms of latency to audio. Now of ocurse this isn't a problem, first because the drivers are aware of this and do time compensation so it only matters for live sound-on-sound recording (meaning you are playing something that a musician is listening to and recording what they are doing) and you can bupass teh kernel mixer anyhow.

Well finally they figured that out (it's in the documentation for the new driver model) and they released a driver... That only supported 2 channels of the 10 on the card. They claimed that the new driver model didn't support more than 2 channels on a card. I e-mailed MS about this and I think they were sufficiently supprised by the stupidity of the question that they responded. they pointed out that not only could they enumerate the device as multiple 2-channel devices (as you had to do in Win98 and NT since they only supported 2 channels) but WDM could handle real multi-channel devices as well.

Some e-mails back and forth with the company and finally they came out with a functioning WDM driver for their card. These days, their cards have ONLY WDM drivers available, they don't support 98 or NT anymore. However it was like pulling teeth to get them to learn the new method of doing things. Not because it was worse, it's not, but because they just wanted to keep doing things how they had in the past.

I'm sure that's basically what this is. MS has changed the way things work, if it's better or not one can debate, but it's not to screw the AV companies over. They are just being whiny because they don't want to have to change the way they do things.

Agnitum Outpost

[bananaendian]

I've been using a free version Agnitum's Outpost firewall for several years now on my w2k machine and its a clever little program, far simpler and thinner than the offererings from the major players. However like any good firewall program it does require the user to make very technical decisions on network traffic permissions whenever a process tries to contact the internet. Now before I praise it for not letting a process (virus/spyware/legitware) do a thing I don't want for the last couple of years, I do have to mention a disclaimer that in addition I've got the latest security updates for w2k, a NATted hardware firewall on the router and generally secured my system according to NSA's manuals.

Unlike in a Unix environment, in Windows the basic security concepts aren't required of the user. Windows computers despite the networking or even server capabilities are still built upon the philisophy of Personal Computer where the user has total control but also total responsiblity for what the software does. Microsoft's attempts to somehow augment security on top of this flawed concept is not going to succeed and in fact seems to be going the opposite way. Certainly my w2k box is easier to make secure than XP with its 'security improvements' and it seems Vista will make it impossible for the user to secure the computer that he's supposed to own and control.

Sadly I will try to stick with poor old w2k as long as possible but eventually I might have to resort to going the OSX way...

Re:Fark for the news, Slashdot for the comments!

[cli_rules!]

No-one comes here for the news! Not only is it always a day or two late, we often recycle it just for fun, and then make 'slashbacks' on it one more time just to annoy the hell out of people like you.

Agreed. We come here for the wit.