Windows' Patchguard Hinders Security Vendors

eldavojohn writes "Windows' PatchGuard seems to be upsetting third party security vendors such as Symantec, Sana Security and Agnitum. It sounds like the 'black hats' will be able to bypass this security feature (which will be in all copies of Vista) but force security software companies to give up developing software for Windows. From the article: 'PatchGuard will make it harder for third parties, particularly host intrusion-prevention software, to function in Vista,' said Yankee Group analyst Andrew Jaquith. 'Third parties have two choices: continue to petition Microsoft to create an approved kernel-hooking interface so products like theirs can work, or use "black hat" techniques to bypass the restrictions.' Apparently, using these techniques is not a difficult trick."

Oh noes!

[Aladrin]

"Oh noes, windows has security! What'll we do?"

C'mon, get a grip. Despite the fact that this is a dupe, it still angers me that the 'major' pc protection companies can't deal with windows actually securing itself. They would actually consider using blackhat techniques instead of the provided methods? They'd be fools, too. Any blackhat technique they use would be immediately patched by Microsoft. Doesn't take a genius to see that.

Re:Oh noes!

Since when has Symantec been know for its innovation anyway?

Re:Oh noes!

[y5]

Any blackhat technique they use would be immediately patched by Microsoft.

Yes, they could patch. Or (and it's probably obvious, but IANAL) if they want to be "legally" anti-competitive, they could always claim that third-party vendors are violating the DMCA by using said techniques...

Re:Oh noes!

[timeOday]

I agree, this sort of system software IS going to break with each security rev of Windows. It only stands to reason that breaking viruses, which is what MS wants to do, is likely to break anti-virus software as well.

Re:Oh noes!

[gstoddart]

C'mon, get a grip. Despite the fact that this is a dupe, it still angers me that the 'major' pc protection companies can't deal with windows actually securing itself. They would actually consider using blackhat techniques instead of the provided methods?

Well, history tells us that the likelihood of Windows actually securing itsself is pretty slim.

If they could use black hat techniques, then it wouldn't be secure now, would it?

Having said that, it's a catch-22. If Windows implements an approved kernel hook for the antivirus companies, it will get exploited. If they don't, then no antivirus software, but just as many virus writers.

Wether or not Microsoft is going to help 3rd parties sell software to secure Windows, there will be people doing the same things they do now. Except in that case, the consumer is on their own and waiting for Microsoft to stop them from getting pwn3d.

Cheers

Re:Oh noes!

[Jimmy+King]

"Oh noes, windows has security! What'll we do?"

C'mon, get a grip. Despite the fact that this is a dupe, it still angers me that the 'major' pc protection companies can't deal with windows actually securing itself. They would actually consider using blackhat techniques instead of the provided methods? They'd be fools, too. Any blackhat technique they use would be immediately patched by Microsoft. Doesn't take a genius to see that.

Part of the commplaint, though, is not just that they cannot provide proper security software for it but that MS' solution isn't actually providing any security. What they are saying is that this "security" feature makes it pretty much impossible to properly/legitimately do their job, but doesn't actually stop a good many of the techniques that hackers use.

Whether MS' technique works or not, it's bad for us as it limits our choices.

Of course I'm sure neither of these is a concern to symantec, only that they'll make less money, but they are still valid arugments to consider.

Re:Oh noes!

[MarkGriz]

"Any blackhat technique they use would be immediately patched by Microsoft"

Immediately? I think you're being a bit generous.

Re:Oh noes!

[canuck57]

... pc protection companies can't deal with windows actually securing itself.

I heard this too going from Windows 98 to XP. Still waiting. Vista will be no different.

They would actually consider using blackhat techniques instead of the provided methods? They'd be fools, too.

Isn't this exactly what AV and firewalls already do? There is no open easy M$ official way to do any of these security functions is there? Wrapping a DLL here, swapping out a registry entry there isn't much different than a root kit is it? The only difference is the reasoning, one is to prevent further infections.

M$ is finally doing what UNIX/Linux/BSD has enjoyed for many years, user processes should not be able to modify OS stuff! Hurray, M$ finally gets the idea!

But me, I am already into UNIX/Linux/BSD so now that I am hooked, I just laugh at what it really costs to run a Windows platform. My worst problems are 7 year old power supplies dying when I add 500GB of disk or the thunder storm that bounced the power 5 days later.

Re:Oh noes!

[Fordiman]

Does anyone else smell a new monopoly suit?

Microsoft moves into system security (with their firewall, spyware tool, and I think they recently bought an AV company), and then sets up a 'security' feature that just happens to block out their competitors?

Yeah... that smells pungent to me.

Re:Oh noes!

[Nigel_Powers]

Don't kid yourself...this is NOT a case of Windows securing itself -- this is revenue protectionism at its best. Microsoft is actively trying to make third-party security vendors a thing of the past.

In all of this, Microsoft forgets the most important thing -- It's my freakin computer! If Microsoft hinders me from getting done what I (remember me? I'm the consumer) want, then I have to reconsider my OS decision -- which I did -- about 5 years ago -- and never looked back.

Re:Oh noes!

[phasm42]

To add to your point, customers won't care when their viruses/malware break, but they will care when the security software they paid for breaks. It could also discourage people from applying updates, out of fear it will break their security software.

Re:Oh noes!

[Jon+Luckey]

M$ is finally doing what UNIX/Linux/BSD has enjoyed for many years, user processes should not be able to modify OS stuff!

[cough] insmode [/cough]

(user as in ring 3, not user as in user vs. root)

Re:Oh noes!

[99BottlesOfBeerInMyF]

M$ is finally doing what UNIX/Linux/BSD has enjoyed for many years, user processes should not be able to modify OS stuff! Hurray, M$ finally gets the idea!

So here's the problem, certain things do need to modify "OS Stuff." What if I want to run a hypervisor, or to kernel level process monitoring? On Linux you install a new kernel module or recompile a custom kernel. On Windows, there is no official way to do this, so companies that traditionally have relied upon this must move to unofficial mechanisms. Coincidentally, these are companies MS just put out a new product to 'compete' with. This is bad for users, since it takes control away from them and makes it harder or impossible to do things they have traditionally done (like run anti-virus software from anyone other than MS). It is also, a blatant violation of anti-trust law.

Re:Oh noes!

[thsths]

> Despite the fact that this is a dupe, it still angers me that the 'major' pc protection companies can't deal with windows actually securing itself.

Me too, but it makes business sense: the whole "pc protection" industry is based on the fact that Windows is insecure. Of course they are upset if Windows is getting more secure, and they will do everything in their power to prevent this.

Re:Oh noes!

[DCGregoryA]

Viruses and you. In this case we're talking about locally executed binaries that are being run with root(admin) privileges.

I just felt it had to be said but : Since when can you not totally mess up a Linux system when you're running software as root?

I don't see local software running as root and therefore having root permissions as "a security hole". The only security holes I worry about is elevated permissions and unauthorized installs such as the 0-day IE exploit and buffer overruns.

While I'm glad MS is securing stuff, I'd rather they do it via preventing 0-day exploits/permission elevations and implementing "sudo/pass-request" sorts of requirements for installing software and accessing system internals in order to make the process more transparent and auditable.

Summarily, you should not be able to totally mess up the system with any piece of software you run in a standard Windows home installation. Force a root login for that sort of thing, at least that'd make it somewhat obvious what's happening. That being said, the problem with windows (asides those I've mentioned which are valid security holes), lies not in the admin account being insecure but rather the fact that everyone and their uncle is an admin the entire time they're running.

Re:Oh noes!

[TexasDex]

Of course they could. If by "legally anticompetitive" you mean being anticompetitive through the legal system. Lawsuits can be an illegal monopoly abuse too.

Re:Oh noes!

[pete6677]

Well they have found ways to increase memory and CPU usage with every new release. We've got to give them credit for something.

Re:Oh noes!

[gstoddart]

Viruses and you. In this case we're talking about locally executed binaries that are being run with root(admin) privileges.

I just felt it had to be said but : Since when can you not totally mess up a Linux system when you're running software as root?

Absolutely you can. But, if I choose to install software, I can decide that I trust it, and want it running as root. But the rest of the time, I'm logged in as a user who doesn't have root priveleges, and can't bork anything but my own stuff. If the user wishes to install kernel-level software, they're allowed. I've ran apache as both userland and root, except for which ports it can bind to, apache doesn't care.

That being said, the problem with windows (asides those I've mentioned which are valid security holes), lies not in the admin account being insecure but rather the fact that everyone and their uncle is an admin the entire time they're running.

That has always been the problem. You simply can't do anything on windows without being the admin, because so much crap just expects to have it, and fails if it doesn't. And then every damned website you visit which has an exploit is the administrator. Whee!! How fun!

Back in the day, if I wanted some software on a UNIX machine, and the cranky UNIX admin said "leave me the fsck alone", I could still untar it into my own directory, set my path variable (give or take one or two more) and just run it. The software ran just fine in userland, and was isolated from the OS. It could hose my files, but not the system.

Same deal on a Mac, the folder which was the install was the whole app. You could move it or delete it -- deleting was uninstalling basically. On Windows, every bloody piece of software expects to be able to write to the registy, install itsself for every user, demands that it write to Program Files, and possibly muck with some stuff in the Windows folders. Because that's how you're expected to do these things.

The fact that you can't do anything in Windows without being the admin has always been a major source of problems. If they had a model whereby users could install software into their own "user programs" or somesuch, and that was separated from the rest of the damned OS, these things couldn't happen.

However, as long as MS sticks with the way they have envisioned the world, preventing people from having kernel hooks (unless you use black hat methods) is kind of an empty solution, because it doesn't address the bigger problem of needing to be the Administrator to accomplish anything on a Windows machine.

Cheers

Re:Oh noes!

[DCGregoryA]

This I tend to agree with but I don't view it so much as a "security software shortcoming" as a "convenience against security tradeoff" in their business model. I classify it as a separate thing because that isn't a "hole", its very much "by design" in order to cater to people who know jack all about computers.

And its not a matter of being insecure at the software level, its a matter of bad practices implemented to make things convenient for "low knowledge users" in home environments.

While I get what you're saying, I separate the two issues, because you're fundamentally talking about two separate things. If every UNIX engineer wrote software the way they write it for Windows, you'd have an equal amount of UNIX issues. But either way, its more of a procedural practice thing than it is a "bug" thing. When I'm talking about security holes I restrict it to things you can't prevent (remote exploits like buffer overruns) or things that shouldn't be happening (ie, elevated privileges).

Re:Oh noes!

[dolson]

You're right. But I also see the solution in your message. Read it over a few times, and you'll get it. I think it's a first step towards the theory of natural selection taking its course in the computer world.

Re:Oh noes!

[99BottlesOfBeerInMyF]

You're right. But I also see the solution in your message. Read it over a few times, and you'll get it.

If you're thinking switching away from Windows is the solution, you're missing the big picture. Because of their monopoly MS can do things like this that hurt consumers, but the artificial benefits to staying or problems with switching still make staying on Windows the right business case for the majority of people. If we simply had a free market, consumers would have switched already, but we don't. Monopolies break the free market and keep it from acting, thus that is not a workable solution for most.

Re:Oh noes!

[gstoddart]

This I tend to agree with but I don't view it so much as a "security software shortcoming" as a "convenience against security tradeoff" in their business model. I classify it as a separate thing because that isn't a "hole", its very much "by design" in order to cater to people who know jack all about computers.

First off, I agree with everything you said in both posts.

It just has the effect that the system is highly insecure because of the design, which is no better.

If every UNIX engineer wrote software the way they write it for Windows, you'd have an equal amount of UNIX issues.

That, and you'd see more UNIX engineers getting pilloried by the community and beaten up at conferences by angry old UNIX geeks who think it's an outrage to do something so stupid. ;-)

Believe me, I have encountered UNIX software which required itsself to be installed in precisely one location, with no flexibility. Those people get symlinks so I can put the software where I want it -- because I may not have the space on the partition you want to live on. And because it's my damned machine, and I get to make those choices.

I mean, if everyone put their gas tanks where the one from the Pinto was -- which caused the car to catch fire on impact -- we'd have a lot more car fires as well. However, thankfully, people don't do what they did with the Pinto, because it's a well-known bad idea.

Ultimately, it still leads to security issues for the end user. They don't really care about how the differences happened between Windows and UNIX. And they won't understand that they can't install their antivirus software because Microsoft has made the OS more secure. They're just going to care that for the 3rd time this year someone is suggesting a complete re-install of the OS to fix all of the crap that has snuck its way in.

The reason for the exploit is kind of irrelevant to the end-user. They just care about the fact that they have a hosed system.

Cheers

Re:Oh noes!

[smchris]

Don't kid yourself...this is NOT a case of Windows securing itself -- this is revenue protectionism at its best. Microsoft is actively trying to make third-party security vendors a thing of the past.

Well, then, maybe Microsoft will have to do the "charitable" thing and help out poor old Symantec like they did Apple and Borland to keep the monopoly monster away?

Re:Oh noes!

[RobertLTux]

If every UNIX engineer wrote software the way they write it for Windows, you'd have an equal amount of UNIX issues.

That, and you'd see more UNIX engineers getting pilloried by the community and beaten up at conferences by angry old UNIX geeks who think it's an outrage to do something so stupid. ;-)
-----
ie they would run dd if=/dev/baseballbat count=1000GB of=ttyS1 from the root console of the users system

imagine a beowolf cluster of hacked off Unix admins

Re:Oh noes!

[stunt_penguin]

So Microsoft plan close the gate tight enough so that your security guard can't gain access to the premises, but cheeky bastards can still poke their arms through the bars and swipe your personal data.

Wonderful :|

Re:Oh noes!

[myowntrueself]

The fact that you can't do anything in Windows without being the admin has always been a major source of problems.

I agree, but theres no *point* in doing anything in Windows without being admin.

There is no point in running Windows as a non-priviledged user.

If you doubt my word, log into your favorite Windows as your unpriviledged user and set up a scheduled task to run cmd.exe

When the scheduled task runs and you get a command window try and see what you *cannot* do on the system...

(I used to put a great deal of effort into running as an unpriviledged user; I spent hours trying to get games to run without having to be Admin. It seems that I totally wasted my time. Thanks, Bill.)

Re:Oh noes!

[Syrrh]

Obviously Windows is NOT becoming more secure if Symantec & all already know a workaround but it's not an approved method. I doubt it'd really fall to being 'illegal', but definitely a hassle if security software is at risk of being broken by future updates. PC protection is a racket, sure, but that doesn't mean it's unneccessary.

Re:Oh noes!

[sqlrob]

You can set it so that regular users can't schedule tasks, eliminating that hole.

And games not running as admin is (usually) not Bill's fault. Blame copy protection for that one.

Re:Oh noes!

[ZiakII]

another work around is open up notepad and save a cmd.bat file with the text cmd.exe and presto you have command prompt

Re:Oh noes!

[misleb]

No! Please let Symantec die! They screw up every half-way decent piece of software they get their grubby little paws on.

Re:Oh noes!

[DD32]

another work around is open up notepad and save a cmd.bat file with the text cmd.exe and presto you have command prompt True, But it wont have Root SYSTEM priv. the System account has more control than the administrator account. D

Re:Oh noes!

[Fordiman]

huh?

I'm sorry, but this is exactly the sort of bullshit monopoly laws exist to prevent: a company with an excessive amount of market share abusing its position in an attempt to exclude its competitiors.

If the above is actually your position and not a post with the intent of making fun of the Billy's Bitches Club, you have to realize that posting something of that kind of rediculous petulance only serves to make your entire argument seem... well, pathetic.

If it is sarcasm making fun of the MS Fanclub, you should either find a way to be more direct, or at the very least, keep your day job.

Re:Oh noes!

[ThePengwin]

I think the problem that most people see is that windows is now going to be an operating system that is more closed off than ever before, yes its going to stop all the mean nasty little bad viruses but its going to have the effect of insecticide, Its going to kill the things we don't want, at the expense of killing what we do want

Re:Oh noes!

[driddle]

I agree, this sort of system software IS going to break with each security rev of Windows. It only stands to reason that breaking viruses, which is what MS wants to do, is likely to break anti-virus software as well.

I don't see the problem. Why can't the anti-virus software just be ran as the Administrator user? In Linux you run ClamAV as root and tripwire as root and if you are really security conscious you run them off a boot CD. Why can not the Windows anti-virus people do the same thing with Vista? What is it about Vista that would prevent this?

Re:Oh noes!

[TheSpoom]

It should, of course, be noted that this is really only the case in XP, while running in the default user configuration. Want Windows 2000-style user configuration / login?

Administrative Tools -> Computer Management -> Local Users and Groups

Or, alternatively, for the actual old Control Panel dialog:

Start -> Run -> control userpasswords2

Want to access the (much more powerful) ACL-based File Sharing and Security from 2000 rather than the simple one presented by default in XP? You need Pro, but:

My Computer -> Tools -> Folder Options -> View -> Uncheck "Use Simple File Sharing (Recommended)".

Unfortunately if you have XP Home, you can (apparently) only get the advanced Security tab when booted into Safe Mode.

So yeah, it should be possible to do things as an unprivileged user. Microsoft just made it really obscure in XP. Windows 2000 (and 2003) has been running unprivileged users for ages.

Here's some more info about accessing Win2K-style Security controls in XP Pro.

Re:Oh noes!

[dioscaido]

Just tried, access denied.

Scheduling system tasks is a privilege account, not allowed in XP (at least not XP SP2).

Re:Oh noes!

[dioscaido]

It is your freaking computer, so you can easily turn off signed driver checking. As for grandma, I'm glad this'll be one more thing to keep her from being rooted.

Re:Oh noes!

[Alioth]

I think much of it is culture. In the Unix world, programmers have always assumed that the machine you are using is multiuser and multitasking and network connected. In the Windows world though, the culture comes from DOS - so the majority of developers treat the machine as if it were single user and single tasking and not network connected. Even in 2006.

Re:Oh noes!

[49152]

>The fact that you can't do anything in Windows without being the admin has always been a major source of problems. If they had
>a model whereby users could install software into their own "user programs" or somesuch, and that was separated from the rest
>of the damned OS, these things couldn't happen.

Strangly enough this is possible. You can install almost any kinds of software in "user space" on Windows, except programs that need to hook into the kernel like device drivers, daemons, antivirus software and such. But I guess this exception would hold for *nix system too.

However the installer must be made for it. Just install files in the users home directory, and write any registry changes under HKEY_CURRENT_USER. That part of the registry is stored in a separate file in the users home directory and wont effect other users. It is even possible to register file types, register dll's/ocx's, desktop enhancment (like context menues), new protocols etc and only have it visible for that particular user.

The problem seems to be that NO ONE USES THIS! Not that it is not possible. I suppose (guess) this is mostly due to developer inertia, doing it the way they always did it, and possibly due to bad or to little information from Microsoft.

The reason I know this, is that I wrote the software installer in the company I work for, and one of the requirements I got was that the software should be possible to install without administrator priviligies. My installer checks for admin privs and only offers "all users" install if with administrator privs. This works on Windows XP & 2003, I have not checked older versions since we do not support them.

It can be done and it is not even that hard, but sadly so few developers/companies seems to want to do that extra effort.

PLEASE NOTE: I'm not trying to excuse Microsoft in any way. I still think it is mostly they to blame for this mess since they did not establish and make known proper routines and guidelines for installing software without admin priviligies in the early days of Windows.

-- Dont bother to flame my spelling/grammar unless your Norwegian is better than my English.

Re:Oh noes!

[Stellian]

Having said that, it's a catch-22. If Windows implements an approved kernel hook for the antivirus companies, it will get exploited. If they don't, then no antivirus software, but just as many virus writers.

The solution should be obvious:
Only allow hooks to be installed when the binary file providing them is digitally signed. And I don't mean the normal, $100 SSL certificate, that any phisher can get these days. Microsoft should require a large setup fee, something like $50.000 to digitally sign these kernel extensions. This should stop all virus writers, without being important to security vendors with millions of dollars income.
Sure, since the blackhats have administrative privileges, they can always subvert the security checks using undocumented hacks, but at least, the upgrade of the system will only break the viruses, not the antivirus software.

Re:Oh noes!

[The+Spoonman]

I'm sorry, but this is exactly the sort of bullshit monopoly laws exist to prevent: a company with an excessive amount of market share abusing its position in an attempt to exclude its competitiors.

You're absolutely right, but it only applies when there's valid competitors to the "monopoly". Let's take a look at the lineup of whiners from the last one: AOL (not even a competitor), Netscape, Sun. Companies that produce(d) ridiculously crappy products complaining that MS was stunting their growth, when the real problem was no one wanted their products. Well, aside from AOL at the time, but that share's diminishing, too. Now, we look at who might be in the next one...a bunch of companies who've made their livings selling bloated pig software that is about to be made obsolete...unless of course Microsoft leaves a gaping hole in the OS so they can shoe-horn their products down people's throats. Greaaaaaaat.

you have to realize that posting something of that kind of rediculous petulance only serves to make your entire argument seem... well, pathetic.

I do what I can to fit in with the slashdot crowd!

Re:Oh noes!

[Fordiman]

I don't know of the other two companies, so I can't comment. If it were MacAffe and Grisoft along with Symantec, I'd argue the point more vehemently.

Still, Symantec makes an (arguably) good product (while I wouldn't trust it with my sister, many enterprises consider it the gold standard in security software).

To tell the truth, security software SHOULD be using black-hat techniques. And Windows itself shouldn't be bothering with the security field (save for the 'Security Center', which is useful as a BOO in a corporate environment). Letting Windows handle its own security is kinda like letting the old crusty half-asleep guard be in charge of securing a skyscraper all by his lonesome; he's already proven he's not exactly paying attention.

Huh?

"Window's (sic) patchguard hinders security vendors"

My window's patchguard (namely iron bars) damn well better keep out "security vendors" trying to "hook into" my house.

does this mean...

[krell]

Does this mean there will be a new day of the week devoted to patching the patchguard?

Re:does this mean...

[mwilli]

how about a month? We'll call it Smarch.

Have I been watching 'The Simpsons' too long?

Re:does this mean...

[MarkGriz]

"Have I been watching 'The Simpsons' too long?"

We all have. About 10 years too long IMHO.

Re:does this mean...

[__aajqwr7439]

It's funny 'cause it's true!

Why would microsoft bother?

[matts-reign]

I can see why microsoft would want to stop people. It is probably an attempt to stop malware. However, I think there should be a way for this security software to exist, other than resorting to "black hat" techniques. I would say this could be described as Microsoft shooting itself in the foot. Trying to stop rootkits is good and everything, but not in a way that blocks my antivirus from protecting me.

Re:Why would microsoft bother?

[AugustZephyr]

Apparently microsoft thinks that its security measures are good enough that you dont need antivirus to protect you.

Re:Why would microsoft bother?

[RootWind]

Well technically it shouldn't do anything to your antivirus unless it has some HIPS module. Which I don't think any consumer-grade AV even has (Though Kaspersky AV6 has something similar to HIPS with their pro-active defense features).

Re:Why would microsoft bother?

Your antivirus is not protecting you if it is Symantec. Norton AV and internet security are the worst viruses out there.

Anything that MS can do to stop Symantec from crippling windows installations is a good thing. It has been a long time coming. It is time to put a stop to Norton's malicious revenge on his former employer. (Yes, I realise that Peter is no longer responsible for Norton AV, but the legacy is there.)

Re:Why would microsoft bother?

It is probably an attempt to stop malware.

You must be new here. It is not M$ attempting to stop "malware." It is a way for M$ to lock the third party software companies out and make money by providing this software themselves.

Re:Why would microsoft bother?

[jd]

The obvious answer would be for Microsoft to define a well-known API for security software, where the entry-point for that set of functions is damn-near impervious. (A simple example - require that all software using such an API be digitally signed by a trusted vendor and counter-signed by the registered owner of the software. In a corporate setting, this would mean that patches would need to be signed off on by the IT department. In the home setting, users would have to specifically state that they approve that level of access for the software.)

Certificates of trust already exist in Windows. They're used by web browsers. It would be trivial to use the code that is already present to check for a valid certificate. The second layer of protection - requiring the user/IT department to countersign the patch - would make transparent breakins much harder. Not impossible, but definitely much harder.

Of course, this is all pointless these days, anyway. All a rootkit writer has to do is develop a mini hypervisor or hijack one already in use. For zombies, viruses, etc, you'd then have the externally-visible interfaces in the OS and everything else concealed outside. BIOS viruses could also be quite lethal, as they too would bypass this protection. Far too low a level for the OS to detect. These days, with graphics processors essentially being parallel CPUs, I'm surprised nobody has put a virus on the graphics card. If the PCI is multi-mastered (not uncommon on higher-end machines), then the card could control all the other devices without going through the OS at all, giving a virus that could inhabit that space ABSOLUTE power over the machine.

Re:Why would microsoft bother?

[yapplejax]

I'm surprised nobody has put a virus on the graphics card. If the PCI is multi-mastered (not uncommon on higher-end machines), then the card could control all the other devices without going through the OS at all, giving a virus that could inhabit that space ABSOLUTE power over the machine.

It's already been done. A lot. Just that no one realizes it yet.

Re:Why would microsoft bother?

[mabhatter654]

no, you still need THEIR anti-virus to protect you. That's the rub. Microsoft now has their own Windows Live anti spyware, anti virus, anti hacking package... so they can obviously write anti virus for new windows, but they don't want anybody ELSE to do it!!!

Re:Why would microsoft bother?

[pehrs]

The problem you will end up with using certificates is the same problem as you have on the net. You don't know what the code you are running will do. There are three ways to solve this:

1: Microsoft has to certify all code.
This is slow, expensive and still things might slip through. And it give microsoft a kind of controll over the software you are running that you probably don't want.

2: Anybody can sign code
Hello, here is the OmegaDriverV3.2. Please install. You end up in a situation where you might be able to verify who has signed the code (Through the usual chain of trust/web of trust, if you trust it...), but has no idea what the code will do.

3: Anybody can sign code, but the code has to follow a security policy that the user accepts
This would be a good idea, however, it's only implementable if the code runs in a sandbox today. It can not be done (today) on kernel level code for preformance and complexity reasons.

Should be an optional feature.

[DNX+Blandy]

"Window's PatchGuard" should be an optional feature. If you dont' want to use it, (like me!), you should be able to NOT include it when installing etc. Being able to do what you want is the best way, forcing users only pisses them off.

Re:Should be an optional feature.

[slummy]

Dude, where have you been. Microsoft telling you what and how to do has been their business model forever. ie: "This is what your start button looks like, here are your programs, here is the close button..." etc. You should be pissed off about this other shit first.

Re:Should be an optional feature.

[Mister+Whirly]

Using Windows is optional. If you don't like the features, you don't have to use it...

Re:Should be an optional feature.

"should be an optional feature. If you dont' want to use it, (like me!)..."

If I used Windows, I'd share your view too. But if you read Microsoft's EULA, which you agreed to, you'll see there are a bunch of artifical things that "prevent" you from doing what you want. What makes PatchGuard any different?

As a Windows user, you apperantly are here to serve Microsoft; not the other way around. MS pissed me off 8 years ago. And I acted on that and gave MS the boot. What are you going to do?

Re:Should be an optional feature.

[cyber-vandal]

Yes you could just run your software on one of the many other Windows compatible OSes out there. Oh wait....

Re:Should be an optional feature.

[cafucu]

That sounds too "modular" and "flexible". Of all the things Microsoft is stealing from superior operating systems in Vista, they refuse to steal the ability to customize and fine-tune an OS. Imagine the backlash if you could buy Vista for $100 and run it on your current PC. And imagine the mobs of angry users who would claim their systems aren't monolithic enough! They don't want to confuse their users by creating an operating systems that's more useable and less bloated than the last.

Re:Should be an optional feature.

[Ant+P.]

Wine's good enough for things like flash9. Oh wait, did you mean commercial off-the-shelf software? Yeah, all of those I bought run fine on my non-windows OS. Took a while to get working though; I had to spend a full 5 seconds looking at the box to see if it supported my OS!

Re:Should be an optional feature.

[hurfy]

"This is what your start button looks like, here are your programs, here is the close button..."

Huh?

Where are my programs?
And for the life of me i can't find the END button and the off button on my computer doesn't seem to function under windows ;)

All they gave me was a button labeled START but the computer is already started.....

Meanwhile i will wait for the VISTA-EU edition after they make MS provide a functioning interface ;P

Re:Should be an optional feature.

And for the life of me i can't find the END button and the off button on my computer doesn't seem to function under windows ;)

Like Apple's "drag the CD to the trash can, normally used for deleting files, to eject the disk" metaphor, Microsoft's shutdown is equally assinine. Click START to SHUT THE FREAKING MACHINE OFF? HELLO!

Posting anon thanks to rabid fanboi types.

Re:Should be an optional feature.

[cyber-vandal]

And what about all the stuff that doesn't run under Wine or on an alternative OS i.e. most of it.

Re:Should be an optional feature.

[danaris]

99% of the software out there either supports Mac, supports Linux, has a perfectly good alternative for one of these that can read and write its formats, or isn't worth buying in the first place.

For the other 1%, well, personally, I live just fine without it.

Dan Aris

Why does this sound familiar?

[plasmacutter]

I remember something about the entire kernel becomming a "protected process" under an MS implementation of TCPA/TCG/Palladium/(insert name of the week meant to spoof drm watchers here).

This was meant to be an "effective" means to stop viruses, but it served more to force licensing fees out of companies which provide security solutions and to stop independent tinkerers (also known as "good" hackers) from providing cool kernel mods for power users.

Re:Why does this sound familiar?

Precisely... everything Microsoft has done recently (driver signing, buying Sysinternals) is all in preparation for a move to Trusted Computing hardware... in which the Windows kernel will move behind the wall of hardware DRM and anything not Microsoft approved will be blocked by the hardware. Driver makers, security companies, and app vendors generally, will all by Billy's bitches even more than they are now.

You can forget about "black hat" hacks, since modifying the kernel in any way will mean that it suddenly isn't trusted (Microsoft claims not to be implementing remote attestation in Windows Vista -- this is a lie, and is only a software update away once the TPM hardware is in your machine)

Third parties have another choice

Urging consumers and computer makers to stick with Win2k/XP.

Re:Third parties have another choice

yet another choice

http://www.distrowatch.com/

"using these techniques is not a difficult trick."

[portmapper]

it's written, but if you even a little bit of the linked-to article, you will see that
this is for x64, but no mention about i386 bits i.e. the great majority of PC. My guess is
that this will be similar for i386 as well, though.

Another law suit...

[jrbush82]

Providing Microsoft decides not to provide a better means for other software companies to run security products within Vista, I'm sure a large law suit will develop within the near future... in which case, MS will be handing over a good chunk of change... seems they always lose.

If they were smart, they would turn it into a way for them to make money. License the "technology" (for a "small" fee of course) to the software vendors so that they can attempt to provide a security solution.

Re:Another law suit...

[gutnor]

That would be a bit unfair that MacOS, Linux could improve their security freely but Microsoft would have to provide easy to abuse holes in Windows just because a side economy happen to make money from them.

And what will they do when Windows looses market share ( and it will because it will be in the position of being the only door maker that cannot put lock on its doors because of the bouncer union ) Request Linux providers and Apple to provide their OS configured with root as default ?

Re:Another law suit...

[jrbush82]

Linux by itself is just the kernel. The distributors (Red Hat, Ubuntu, Gentoo, etc..) choose different software packages to include in their releases, but by no means does the Linux kernel block software developers from providing host based intrusion detection/prevention solutions, and even if it did.... developers have the ability to make kernel patches if necessary. The source code is released for the public to use and expand on.

As far as Apple's MacOS, they have a similar build to most distributions of Linux. The kernel is based on the Mach "drop-in" replacement for the traditional UNIX kernel, as well as BSD implementation of UNIX. After the kernel is developed, a lot of the "OS" is then built from popular *nix packages as well as many proprietary Apple software... call it a hybrid if you will.

With Microsoft, everything is closed source and behind locked doors. If they shut out software companies from providing host based security solutions to the general population, you can be sure that there will be a lawsuit. The vendors have no choice other than to work with MS on this (and I don't see how MS has a choice either), because "black hat" techniques would only break the software in the future, as MS releases patches to its OS to close these holes.

Re:Another law suit...

[Jeremy+Erwin]

And what will they do when Windows looses market share ( and it will because it will be in the position of being the only door maker that cannot put lock on its doors because of the bouncer union )

If I want to replace the default door locks on my door with Medeco locks, I should be able to.

(and as far as analogies go, "Operating systems are doors" is about as stupid as "The Internet is made of tubes")

Re:Another law suit...

[slack-fu]

root is default when you install linux, you then have to add a user if you have any clue as to what you are doing.

Re:Another law suit...

[cyber-vandal]

They made their bed, they now have no room to complain about having to lie in it.

Re:Another law suit...

[b0s0z0ku]

root is default when you install linux, you then have to add a user if you have any clue as to what you are doing.

Depends what distribution. AFAIK, in Ubuntu, root isn't enabled by default and you do system admin tasks through a sudo-like mechanism that elevates your permissions temporarily.

-b.

"Security Software" vs. "Trojan"

[xdxfp]

Obviously if "security software" can bypass the restrictions, then so can malicious programs. There isn't any fundamental difference between software and malicious software that Windows can detect (one computer's virus is another computer's formatting software).

Re:"Security Software" vs. "Trojan"

[portmapper]

> Obviously if "security software" can bypass the restrictions, then so can malicious programs.

Indeed, that is the case, but there is a big industry making money on the numerous exploitable bugs
in Windows. So when Microsoft tries to close some of the holes, there are many complaints. My heart
bleeds like an overflowing river for Symantec et al.

Yes, yes, Microsoft is probably up to its very old behavior again of vendor-lock-in, but there is improvement
in security.

Re:"Security Software" vs. "Trojan"

[aquabat]

There isn't any fundamental difference between software and malicious software that Windows can detect

http://tools.ietf.org/html/rfc3514

Re:"Security Software" vs. "Trojan"

[HiThere]

If they hadn't knowingly and maliciously allowed the Sony rootkit in, then I would feel some sympathy for them. As it is... let's play "Sympathy for the Devil" again while we contemplate this knot.

Re:"Security Software" vs. "Trojan"

[dunng808]

Double-check the date of RFC-3514. Look closely. Think. Then read the RFC again. Get it?

Re:"Security Software" vs. "Trojan"

[aquabat]

I was joking. Too subtle?

What? Did you run out of kayak stories ???

What? Did you run out of kayak stories ??? What sort of place is this anyway ?

Microsoft have their own security product - so DUH

[sbaker]

Microsoft want you to pay them a monthly fee to get the Microsoft anti-malware stuff. Every obstacle they can toss in the way of cheaper alternatives is (for them) a good thing.

The rule is: If you are in the business of doing X - then Microsoft announce that they are getting into doing X - then you'd better find a way to do Y instead. In the absence of government intervention, an illegal monopoly can do pretty much whatever they heck they like.

Debugger Disables

[mugnyte]

It is fascinating that TFA explains how if a boot routine can initialize a "debugger attached" flag, the PatchGuard system is not initialized. From this aspect alone, I'd say MS should start playing more nicely with the vendors, since any malicious code worth it's salt should set this value permanently and then replace kernal routines on disk as necessary.

Also, given the fact that MS intends to making patching the standard for releasing a secure OS, the vendors can't really do this kernal checking themselves. Thus, I think it's safe to say from the perspective of this article, the OS's kernel is patchable by anyone.

Blackhat techniques

[jtwronski]

Um, how is this security if its easily bypassed? Isn't the point behind any security layer to make it so nobody can bypass it? Seems to me that if its that easy to circumvent, Microsoft is just spinning its wheels, and there will be plenty of market for companies like Symantec/McAffee to compete in. Its not like the virus/trojan/malware writers give a single shit about any layer of security that they can bypass. Easily.

Symantec should be glad that Vista will have this ineffective security layer, so they can sell software to patch it.

Micro$oft and Control

[thorkyl]

A few years ago in office 2000 Microsoft dictated what attachments you could receive and what you could not. It sounds like Microsoft is attempting to create a business model of "If you want security you get it from us." and "We know better, you do it our way." Does the phrase duck and cover mean anything to anybody?

Re:Micro$oft and Control

Or maybe Microsoft is just trying to implement reasonable security measures in their OS. From Microsoft's web site I found this list of actions that PatchGuard is supposed to prevent:

* Modifying system service tables, for example, by hooking KeServiceDescriptorTable
* Modifying the interrupt descriptor table (IDT)
* Modifying the global descriptor table (GDT)
* Using kernel stacks that are not allocated by the kernel
* Patching any part of the kernel (detected only on AMD64-based systems)

I don't see anything wrong with any of this, although my understanding of OS internals is limited so feel free to explain the problem to me.

As for the Outlook attachment thing, that can be turned off at the server. So blame your Exchange admins for that.

Re:Micro$oft and Control

[mabhatter654]

But Microsoft has anti-virus software working on Vista. That's the problem. Anti-virus is not impossible... Microsoft just isn't let anybody else play!!

Re:Micro$oft and Control

No. Microsoft just isn't letting them do it the way that they are used to doing it so they are whining. This is no different than when MS implemented system file protection in Windows 2000. Developers that were used to replacing system dlls with their own modified versions complained about it too when it broke their apps. But once they stopped whining, they went back and coded their stuff correctly (or slightly better than before). I suspect the same thing will happen here.

To Save a Village...

[HTH+NE1]

Third parties have two choices: continue to petition Microsoft to create an approved kernel-hooking interface so products like theirs can work, or use "black hat" techniques to bypass the restrictions.

"We had to hack the system in order to protect it"?

Re:To Save a Village...

[b0s0z0ku]

"We had to hack the system in order to protect it"?

Why not? Picture a heavy steel door with no holes in it, but secured by a thin plastic deadbolt. Cut a hole in the door and put in a proper deadbolt, and it'll become more secure.

-b.

Dance puppets dance

[buffoverflow]

1) Company creates horribly insecure OS.
2) New multi-billion $$ industry sprouts for the sole purpose of securing said OS.
3) Insecure OS company institutes blatantly obvious absolutely worthless security "features".
4) No longer new multi-billion $$ industry complains because new BS security measures are worthless & the new features steal their pennies.
4.5) Linux zealot chimes in on how these issues are not issues under their chosen OS.
5) Horribly insecure OS company forms new multi-billion $$ industry to secure their horribly insecure OS in a proprietary fashion.
6) Balmer covers the $1 he owes Gates for the bet they made on whether or not they can steal the billions from the industry that wouldn't exist had it not been for them & their lax attitude toward secure coding practices while blaming the whole fiasco on Google & Linux all the while creating a brand spanking new completely worthless multi-billion $$ proprietary industry. (Thank you Mortimer, er I mean Balmer)

Re:Dance puppets dance

[DoctorDyna]

That was perhaps the single silliest thing I've ever seen anybody hint to. Nevermind try to pass any of it off as fact.

I still firmly beleive that as a matter of averages, OS security is based on a few different things:

The current market share. The company with the largest slice will be the largest target for..everything. The technical prowess of the people responsible for coding the exploits for said market leader. It is BY DESIGN that Windows has more security issues. Linux and OSX users are automatically safer for 2 reasons: Most viruses and exploits are programmed by YOUR peers, secondly why bother coding, say, a trojan horse that records keystrokes and credit card numbers if your program only has the possibility of infecting 5-10% of all computers? Well? Nobody ever seems to wonder that. I hear it all the time, "Linux has no viruses" "mac has no vulnerabilities" well, there is a reason for that. The gains to be had for creating malicious code for those platforms would really be nearly pointless. Ask sombody currently in jail why they created a worm or a password theif for microsoft products, and I'm willing to bet the answer is NOT "because it's easier" the answer is most likely going to be "because I wanted to actually like..collect some data. Besides, I didn't want that crap getting onto my Linux machine."

So, heres to you, stackoverflow or buffer overflow or underflow or stack-take-a-dump or what the fuck ever, stop spewing crap and flamebait.

Re:Dance puppets dance

[isellmacs]

Windows also has more vulnerabilities because it's using an older, more antiquated style of doing things.

MacOS 9x and before was "more secure because it had low marketshare" but still had plenty of viruses for it.

MacOSX is an entirely different animal. It may bear the name MacOS and some of the general apple feel, but under the hood it's a completely different OS. Designed from the ground up, using tried and true methods as well as more modern techniques to design a more stable and secure OS than their previous OS.

Windows will definitily be more secure if it loses marketshare, but not for the reason you think: For windows to truely be secure, it'll have to do some of the drastic things apple did, and that will result in a massive loss in marketshare.

Why do anti-virus applications need kernel access?

[ClaraBow]

This may be a stupid question, but why do anti-virus applications need kernel access? Do these programs need kernel access to simply scan for viruses?

Re:Microsoft have their own security product - so

[Mister+Whirly]

"Microsoft want you to pay them a monthly fee to get the Microsoft anti-malware stuff. Every obstacle they can toss in the way of cheaper alternatives is (for them) a good thing."

Do you have anything to actually back this up, or is this just your speculation??

You didn't even read the slashdot summary

They would actually consider using blackhat techniques instead of the provided methods?

The entire problem is that Microsoft is providing inadequate "provided methods" to these security companies for them to do their jobs. This makes sense, since Microsoft is now in direct competition with some of these same security companies-- why would it provide "provided methods" which match the power of what is potentially available to internal development teams?

This isn't security, it's the illusion of security...

Re:Why do anti-virus applications need kernel acce

They'll typically hook the APIs that open files and redirect them to their scan routine before returning control to the OS. This requires admin privileges.

I'm wondering how copy protections like starforce (which really mess around with the windows kernel) will handle this. I'm guessing they'll just "blackhat" their way through it like they've always done.

If Microsoft were serious about security...

They would have done a lot of things way differenty a long time ago.

-Active X is a stupid, stupid security risk. Any Windows user with Active X shut off is safer. If MS were serious about security they'd have gotten rid of it long ago.

-Mixing code and data is stupid. Keep the data separate from the code! Of course, keeping code and data sepatate makes DRM harder to impliment, but why should DRM matter to Microsaoft - except for the fact that they value Sony-BMG more than they value their own customers.

-Have stuff default to "off" rather than "on". This has been discussed at /. many, many times. Apparently, MS employees are too busy shilling to actually read posts.

-STOP HIDING EXTENSIONS!!! Christ, it's incredibly STUPID that I can write a virus named NakedLady.JPG.exe and it will show up in most peoples' computers as NakedLady.JPG.

-Make programs have an .EXE extension to execute! No more .SCRs, for example. They're getting worse rather than better about this; I downloaded the AOL antivirus to try it out (OT rant about it follows) and the download had a .MSI extension. It confused me for a minute; is this like .ISO when it's really not an ISO but you have to rename it to get through the firewall? No, it just ran, and installed AOL's software.

There are a whole lot more I can't think of off the top of my head; *nix's way of specifying whether a file is executable or not makes a whole lot of sense to me, MS's way makes no sense at all.

OT about AOLAV - ZoneAlarm gives me strong indications that there is something very, very fishy about this program. When the PC boots, the first thing AOL/Kaspersky's program does is try to access the internet. Ok, maybe it's looking for more updated virus sigs. But the SECOND thing it does is try to act as a server. WHY?

Re:If Microsoft were serious about security...

[Dog-Cow]

"-Make programs have an .EXE extension to execute! No more .SCRs, for example. They're getting worse rather than better about this; I downloaded the AOL antivirus to try it out (OT rant about it follows) and the download had a .MSI extension. It confused me for a minute; is this like .ISO when it's really not an ISO but you have to rename it to get through the firewall? No, it just ran, and installed AOL's software."

Every GUI OS understands the concept of file -> application mappings. Most use file extenstions as one method of performing the mapping. MSIs are mapped to the Microsoft Installer application. There's nothing malacious or secret going on there. Or are you really stupid enough to open notepad and using the menu to open a text file instead of just double-clicking the file directly?

Re:If Microsoft were serious about security...

[Firefly1]

STOP HIDING EXTENSIONS!!! Christ, it's incredibly STUPID that I can write a virus named NakedLady.JPG.exe and it will show up in most peoples' computers as NakedLady.JPG.

In the first, hiding extension is an option; in the second, I for one still find it hard to believe that the trick you describe works - tooltip information, never mind bringing up the properties dialog box, would give the game away right quick.

Re:If Microsoft were serious about security...

Its an option that just happens to be enabled by default. And someone is going to double click on it rather than check the properties -- assuming they even knew enough to interpret what they would see. This is trivial to prevent, but MS wanted to cleanup the interface to look slick like, say, mac. Sad thing is Apple is now telling everyone to use extensions. They don't have the magic meaning that they do in DOS ... I mean WinXP ... but it is still the most significant flag for most people.

Even with the prevalence of thumbnailing all you have to do is set the icon to an old standby for a picture and people will assume it just didn't render.

Re:If Microsoft were serious about security...

[Ant+P.]

Or are you really stupid enough to open notepad and using the menu to open a text file instead of just double-clicking the file directly?

Are you really stupid enough to open executable files just because they have a text file icon and display "readme.txt" as the name? I'm not, but then again I don't use an OS where such brain-damaged behaviour is the default setting.

Re:Microsoft have their own security product - so

[NSIM]

>Microsoft want you to pay them a monthly fee to get the Microsoft anti-malware stuff. Nope, Microsoft want to charge you $49.95 for three PCs for a year, other than the free AV products, I don't of any "cheaper alternatives" care to elaborate?

Re:"using these techniques is not a difficult tric

[Jeremy+Erwin]

Users of 32 bit windows expect backwards compatibility. Redesigning the driver interface to plug all of the security holes would break this compatibility.

However, 64 bit windows is incompatible with 32 bit kernel mode drivers (the speed penalty would be too great). Users and vendors know that at least recompilation will be necessary, and this gives Microsoft an excuse to redesign the relevant APIs.

IIRC, linux driver developers know that binary compatibility is, at best, a nice bonus. This understanding allows the kernel developers more freedom to fix bugs.

Re:Why do anti-virus applications need kernel acce

There are lots of locations that only SYSTEM account has access to, so yes.

Re:Why do anti-virus applications need kernel acce

[NSIM]

I would suspect it's about being able to spot the fingerprints of well hidden & stealthy root kits that may not be visible without being inside the kernel.

Hooks gone?

[HardcoreWizard]

Am I getting this wrong, or have they actually removed the possibility of using hooks? Or are they just talking about creating a special hook interface for the security software vendors? Anyway, both cases would be obnoxious; removing hooks to improve security would break a lot of software, and creating a special hook interface for security software would be idiotic! Why leave a backdoor wide open?! It's like Greenpeace whining about too many whales in the ocean...

Doesn't affect me

[93+Escort+Wagon]

The only Windows box in our house is my wife's laptop, and we'll be keeping XP on that until XP is no longer supported. By the time that happens, I think it's likely she'll be using a Mac - so if we need Windows for anything (which would be her sewing machine software) we can run it without internet access.

Re:Doesn't affect me

VMware (free!) or the various other virtual machine programs are good enough to run apps that aren't unusually processor or RAM heavy or dependent on accelerated graphics right now. I'd imagine that sewing machine software qualifies, unless it directly controls the machine through a custom port or something (USB should be fine).

If that's really all that's holding you back, maybe now's the time to go for it. I'd recommend (k)Ubuntu though, so you don't end up discarding the laptop.

P.S. The only downside is that you might need a bit more RAM, depending on how old the laptop is. If it's well under 1Ghz you'll also probably find that the virtual machine performance hit is a bit too much - you could try WINE, or just get the new Mac.

Re:Doesn't affect me

dude who asked for your life story?

Re:Why do anti-virus applications need kernel acce

[JSG]

To do the job properly they need to intercept file accesses before the rest of the system and to do that they use a filter driver (which needs a reboot to install - hah!)

So, app or whatever request a file. The OS gets it off disc and the AV software reads it and approves it (or bins it) before the app gets it.

Filter drivers are inserted directly into the kernel I believe a bit like a module under Linux et al. Sadly they seem unable to make these things properly dynamic. You are probably patching the running kernel or something else equally daft but I am not a kernel hacker (Win or otherwise)

To be fair if you were going to do the same under Linux or anything else for that matter the above still applies. To get there first you have to run your AV scanner at the kernel level to intercept the calls transparently unless your file system driver has a built in mechanism to filter things through userspace.

Re:Please get it right

[stormi]

that wasn't flamebait, it was insightful.

Misleading summary

[Ancil]

Apparently, using these techniques is not a difficult trick.

The linked webpage contains a bunch of "techniques" which are mostly

"If we find a bug in this system call, PatchGuard will be worthless!"

along with a few

"This disables PatchGuard in the current beta build of Vista!"

Obviously...

[glindsey]

This doesn't surprise me in the least. PatchGuard is obviously designed to eliminate third-party competition, not stop hackers.

Re:Obviously...

[DCGregoryA]

Not for nothing but you guys want it both ways.

You complain that MS is insecure, then complain when they make attempts to become secure. I agree with the above poster that it should be toggleable. MS doesn't cater well to people who are tech savvy enough to handle this stuff themselves. However, which is it? Complain about MS's insecurity or security? As far as I see it, basing a business model around an OS's insecurity in the long run is a game of diminishing rewards year after year.

Likewise, Symantec specifically hasn't done much of late in the way of protecting home users anyway. Half the time I view their A/V as "a cure worse than the disease", especially since its mostly ineffective anyway against modern worms/viruses. Their corporate edition is the only thing they sell worth a damn as far as A/V & Security goes.

Anyone want to place bets on how long it'll take them to sue?

I don't see what the big deal is

[bberens]

If Microsoft intends to have its own anti-virus software/mechanism they must feel they're capable of doing this without the kernel hooks requested by Norton and ilk. The only thing I would take issue with is if Microsoft uses an undocumented API in order to get an unfair advantage over the third party vendors. When that happens, wake me up and I'll get back up on my anti-Microsoft $oapbox. Until then... bleh.

Re:Microsoft have their own security product - so

[init100]

Do you have anything to actually back this up, or is this just your speculation??

Windows Live OneCare service?

What if windows ever did secure itself?

[isellmacs]

I think it's universally agreed that the biggest flaw in windows is security. To this extent, we've seen many a revision of windows that has altered the way windows works with certain tweeks, to try and make windows more secure.

Many people knock windows for being insecure, but it's not like Microsoft WANTS it to be that way. No, the people who want it to be that way are the "security" companies. Anti-virus companies have profitted from security flaws and viruses alike for many years now, and it has begun a rather booming business and the focal business model for companies like McAffee and Symantec. These companies have a vested interest in maintaining security flaws and the propagation of virues out on the internet.

Lets say the un-imaginable does happen: Windows impliments some radical change to secure the OS. What happens to these companies? They stand up and try and present themselves as our saviours against these "evil black hats" but aren't they the ones with the most to gain from the current business model? By making windows secure, they will effectively end a decade long business model for these security companies by making them obsolete. Thats a good thing for users, but a bad thing for them.

I find it appalling that they would consider Microsoft taking steps to secure their OS as being "anti-competetive" in nature. The "security" market in this case exists only due to flaws and vulnerabilities in Windows. Flaws, which Microsoft has stated time and time again they are trying to correct.

I think people underestimate the task put forth before Microsoft in making windows secure.

Take a look at MacOS. Crashed alot, lots of security flaws and viruses for being such a small marketshare at the time. Apple realized the problem, and understood that constantly applying bandaids to a broken OS wasn't working. They re-did the entire OS to get OSX. The problem, of course, is no OS9- programs run natively in OSX. They had an emulator for awhile, and alot of people struggled with the transition. Like a catapiller to a butterfly, they were reborn in a more evolved state.

Windows, on the otherhand, doesn't have that sort of luxary. If MS were to re-write their code so that no previous versions of software would work, and all developers had to start over from scratch and learn new methods to program, it would cause disasterous consequences both for MS, and potentially for the world over. Best case scenario would be apple releasing OSX x86 on non-apple hardware and taking over the entire market. This, of course, would be the virtual end of MS, which they have no desire to do.

Microsoft is faced with trying to secure a broken OS, without actually starting over (which isn't an option) or breaking the ability of developers to make software for the platform. I'd be curious (as I imagine MS would be too) if anybody can come up with a real solution to the problem? And if you can, can you do it while still allowing the current "security" companies to continue to cash-cow the general public?

Re:What if windows ever did secure itself?

[dpilot]

I think you've hit it pretty well, but there's one thing worth mentioning.

The Windows security problems are Microsoft's own fault, and at a FAR more fundamental level than merely flawed implementation.

The problems began because Windows began as a GUI shell on top of a single-user program loader. There's an old adage, "Those who don't understand Unix are doomed to reinvent it - poorly." Multi-user wasn't in there at the beginning, and retrofits were awkward. I realize that the NT kernel is a true multiuser kernel, but there's so much cultural cruft above it that it doesn't help, much.

The problems got worse through the Windows95 era because of 2 competitive fronts - DOS and OS/2. To cannibalize their old DOS base, they tried to sell integration - make everything just work together and give Windows an obvious advantage even to those unafraid of the command line. One of the many things they did to kill OS/2 was the 'API of the week." Many APIs were made up, I suspect on the fly by marketing, in order to give Win95 an edge over OS/2. Many of those APIs went by the wayside once they'd done their FUD-duty, but not all. The result of these 2 competitive responses was a bunch of stuff thrown into Win32 with little true architecture work or security concern.

Combine these factors, and I'd say that from a security point of view, the Windows API was broken-by-design back in the old Win9X days. Microsoft has been struggling ever since to clean what they can and limit the breakage of backward compatiblity to something that won't stop users from upgrading. They've built themselves a mighty fine knife-edge to dance on.

Re:What if windows ever did secure itself?

Exactly. Windows, as it should be, is *never* in the cards for Microsoft in any near future.

Windows is backwards compatible to the stone age. XP will run almost anything you throw at it that was ever written for some derivation of Windows/DOS. This is one of the big reasons, if not *the* reason people stay with Windows. Their apps work, and will continue to work, until/if the developer releases new XYZ only version which incorporates new OS features.

If Microsoft wanted Windows to be secure, they would have to do an Apple and completely rewrite the way things work. As a result, backwards compatibility would have to go. If the new Dell ABC with Windows XYZ won't run any of my current programs, and I'm stuck having to wait for things to be ported to the new platform, Windows has suddenly put itself BELOW OSX/Linux in terms of usefullness. Suddenly those OS'es are more mature and have better support.

The result would be migration to alternate OS'es, or stagnat use of older Windows versions. Neither of which helps Microsoft and it's distributors sell product. Of course Windows would likely still dominate (it's what we've always used mentality) but they would have handed a BIG bone to their competitors.

Apple could do it because of their small market share. As a result Apple users tend to be more loyal, developers are closer to the corporate mouth-piece, and their equation was reversed so they had little to loose and lots to gain. Controlling the hardware, OS, and many of the applications users depend on gives you power to force change (for the good and the bad).

The best Windows can hope for is some fancy footwork with virtualization and semi-snapshopts so a "new" Windows could run "old" Windows applications, and have the "new" Windows clean up after the mess created by working in the "old" Windows. And then, slowly push development to the new platform and eliminate legacy support only after redevelopment has reached a level that places support above their competitors.

Still risky. If I was a Windows developer and forced to rework my program for a "new" structure of Windows -- what's to stop me from saying what the heck, let's go OSX. OSX can already virtualize Windows, and it's only going to get better. Why not decide to virtualize my program on Apple until my OSX version is ready if Microsoft wants me to do the same thing?

Keeping Windows like it is is the only way to ensure they keep their marketshare and their distributors keep selling product. Windows is the easy cash cow. Rock the boat and people will start jumping off.

Re:What if windows ever did secure itself?

Administrator-level accounts must be very secure yet be able to do anything an admin should be able to do without bugging the user.

Anything less is unacceptable...

Re:What if windows ever did secure itself?

[Syrrh]

That's all true, but Microsoft has other advantages in their pocket that could allow a total reconstruction. They they have the near-universal install base, and they have money.

It's kind of hard for me to believe that they can't come up with *any* workaround hacks like emulating oldschool windows and its registry for applications that require it. If they run poorly, it's all the more reason for software vendors to crank out a newer version. If that's not an option, users can still hobble along. They'll keep using Windows because they perceive their choices to be limited.

Consider also that Windows isn't the only bag Microsoft has. What about an upgrade incentive? Ditch your your old versions, and during the adoption phase they throw in the Office suite for free. Or server licenses. Or even no-charge support. Sure, they'll have to take a big financial hit during the transition, but a few years later they get an even tighter grip on the OS market and anyone who didn't voluntarily switch can just be pushed off the end-of-support through obsolesence. Microsoft has never really done anything to show off how deep their pockets are, but I bet they could come up with some pretty tempting bribes.

If they wanted to. Then again, why disturb the status quo when it provides more money for less work?

Re:What if windows ever did secure itself?

[kimvette]

if Codeweavers can provide a compatibility layer to run Windows applications on ($distro) Linux, and if a free/free solution (wine) can do a pretty good job of it as well, even in ($distro) Linux's security model, then why can't Microsoft do the same? Cut the cord on native backwards compatibility, then provide a compatibility layer where it's confined to a litterbox where poorly-written apps demanding Administrator access can shit all over themselves without causing system-wide security headaches?

Re:What if windows ever did secure itself?

[trojjan]

Microsoft decides to create a secure OS.
Most popular software for windows is Microsoft's(IE Office suite etc).
These software should work on the new secure OS
Microsoft can't create 'secure' versions of these software for their new 'secure OS'.
Microsoft gives up on the secure OS.

btw a lot of windows software does break from one version to next,the compatibility mode?

Re:Please get it right

Actually wouldn't it be Microsoft Windows or MS Windows? Can the term "Windows" be used by itself? Are you talking about XWindows, Windows as a general term about GUIs, or the view to the outside world in your house?

Jim

Re:"using these techniques is not a difficult tric

PatchGuard isn't present in the 32bit O/S, it's x64 only.

>Users and vendors know that at least recompilation will be necessary, and this gives Microsoft an excuse to >redesign the relevant APIs.

There has been absolutely zero change in the standard Windows driver model, so this statement is misleading. True, on 64bit Windows all drivers need to be 64bit, but this is (generally) a single afternoon activity (fix all the places where you cast your pointers to ULONGs and then go home early).

PatchGuard just takes some clever advantage of x64 SEH and uses a timer to periodically check the system for changes to certain structures, it's not a part of some master plan to redesign APIs to be more secure (whatever that might mean).

Re:Why do anti-virus applications need kernel acce

[EvanED]

The problem is that viruses and rootkits can hook into the kernel too. If detectors are really to have a reasonable chance of detecting these sorts of malware, they need to play on equal footing, i.e. hook into the kernel too.

Without that ability, a well-written piece malware can hook into the routines that the anti-virus program uses and filter results or otherwise disable its detection mechanisms. Even if the anti-virus tries to hook the kernel, and is loaded after the malware, it's starting from a severe disadvantage.

But if the anti-virus is loaded, it can hook the routines that malware uses to install its hooks and use them as a detection point.

Re:Please get it right

[cab15625]

Are you talking about XWindows

Technically, it's "XWindow", singular. As in "The X Window System". But they've been struggling with trying to make people get it right for decades now.

New MS Crack House

[mpapet]

I'll say it again, Microsoft has no incentive in providing a reasonably secure OS. (ex. your favorite distro) Like every version that's come before Longwait, it's a coordinated message to make the PHB's buy it because they "fixed security" in longwait.

Mom & Pop buyers will be okay with this because they'll pay MS every month like they pay a cable tv bill. The software monoculture pretty much dictates that their machine will be zombies anyway.

This works out great for me because I will have -plenty- of work baby sitting these things.

Optional seccurity features are useless

[Wesley+Felter]

If PatchGuard was optional, the first thing malware would do after getting into your computer is turn it off. (Of course, this is only a problem for people who want it turned on.) The only solution is to make security that can't be turned off.

Re:Optional seccurity features are useless

[meatspray]

or make security that requires signed code to hook at that level

Re:Optional seccurity features are useless

Technically, it could be an irreversible install option.

The whole "patchguard" concept is bogus

[Animats]

The whole "PatchGuard" concept shows how broken Microsoft's approach to an OS has become. The whole concept is to catch changes made by programs which already have full access to kernel space. By checking every five or ten minutes for a change, no less. That's inherently a futile exercise. It may break some current exploits, but it won't break new ones. Any program that has access to kernel space can take over the machine. It could load a whole new OS if it wanted to.

The whole concept of add-on programs having access to kernel memory is so insecure that it has to go. UNIX and Linux limit it to loadable drivers, and the serious microkernels like QNX and IBM's VM don't allow it at all. But the Microsoft world, mostly for historical reasons, has all sorts of crap running with access to kernel memory, from various "security programs" to game DRM components. All that crap should have been taken out in Vista. The fact that it wasn't indicates how minor a change at the kernel level Vista is over XP.

Re:The whole "patchguard" concept is bogus

[dave562]

You came up with a different interpretation of PatchGuard than I did and I'm curious about which one of us is right. My understanding is that the AV vendors are whining because Microsoft is locking down the kernel and refusing to publish APIs or any documentation that will make it easy for third-party vendors to get at the kernel. PG is intended to sit between the kernel and the rest of the system. It will intercept any attempts to modify or interact with the kernel in non-approved ways. Microsoft decided to impliment this with the x64 version of Windows because vendors were going to have to re-write the drivers anyway.

The whole concept of add-on programs having access to kernel memory is so insecure that it has to go.

Isn't that what is happening? MS is denying add-on programs access to the kernel and the vendors who produce those add-on programs are whining about it?

Re:The whole "patchguard" concept is bogus

[thejynxed]

Very excellent point. If Microsoft was serious about this, they wouldn't care if they broke backwards compatibility, they would just do it. Now mind you, this bit they are doing here with Patchguard is like a "damned if we do" "damned if we don't" kind of thing. On the one hand, if they do it, they can potentially close some loopholes, but still take alot of guff from 3rd party vendors, etc. On the other hand, if they don't, then everyone jumps on them about not being serious about security. So really, due to their own malfeasance, they are stuck between the figurative "rock and a hard place".

They should have listened to everyone back when they released 98SE when they were told to break backwards compatibility for the sake of security if for no other reason...and what did we end up with...WinME...and then Win2k, XP and 2k3...and they still haven't learned apparently if alot of the swiss cheese holes in XP are still found in Vista.

Three good suggestions for MS:

1) Rewrite your kernel structure - nothing but absolutely necessary modules and drivers get access, everything else should run separately. No unecessary hooks, APIs and other nonsense. If this breaks the way certain applications function, too bad. Programmers and devs can learn to deal just like they deal with other crap, and maybe this will encourage them to stop being so damned lazy when it comes to their code.

2) Get rid of that stupid Registry, which is nothing but a tangled mess of exploits, vulnerabilities, insecurity and the cause of numerous BSODs. Not to mention confusion, because you need a freaking college degree to even understand what it does. Hell, even seasoned programmers seem to have trouble dealing with that thing! Even by your OWN programmers, MS; witness the unecessary garbage left behind by your own application installers!

3) Rewrite your file system, and the way your file/folder structure is laid out. Programs should not have writable access to the Program Files, Windows, etc folders outside of installation and patching. Operating System files should be checked during boot, during access, and during shutdown to determine if they were modified. Compare them to a valid (encrypted) checksum of what they should be compared to what they actually are. Refuse to let them run if invalid. All other data, etc should be contained within some sort of userland directory structure, that is walled off from the core OS structure. Programs should not require Administrator level access to install or run. The OS should be a platform to make a computer and its hardware function, not serve as an easy way for lazy or malicious programmers to make 3rd-Party Program X do whatever it feels like doing (3rd-party programs installed to userland should not be able to install any modified OS files whatsoever). Programs that are not drivers, should not be allowed to install at the driver level. If BSD, Unix, Linux, etc can do it, why can't you?

Re:The whole "patchguard" concept is bogus

[plague3106]

1) Rewrite your kernel structure - nothing but absolutely necessary modules and drivers get access, everything else should run separately. No unecessary hooks, APIs and other nonsense. If this breaks the way certain applications function, too bad. Programmers and devs can learn to deal just like they deal with other crap, and maybe this will encourage them to stop being so damned lazy when it comes to their code.

This sounds like what they are doing...

2) Get rid of that stupid Registry, which is nothing but a tangled mess of exploits, vulnerabilities, insecurity and the cause of numerous BSODs. Not to mention confusion, because you need a freaking college degree to even understand what it does. Hell, even seasoned programmers seem to have trouble dealing with that thing! Even by your OWN programmers, MS; witness the unecessary garbage left behind by your own application installers!

Huh? There's only one part of the registry that will launch applications.. mostly its just a configuration store. As far as leaving garbage behind, that's the fault of the software vendors; they write the installers.

3) Rewrite your file system, and the way your file/folder structure is laid out. Programs should not have writable access to the Program Files, Windows, etc folders outside of installation and patching. Operating System files should be checked during boot, during access, and during shutdown to determine if they were modified. Compare them to a valid (encrypted) checksum of what they should be compared to what they actually are. Refuse to let them run if invalid. All other data, etc should be contained within some sort of userland directory structure, that is walled off from the core OS structure. Programs should not require Administrator level access to install or run. The OS should be a platform to make a computer and its hardware function, not serve as an easy way for lazy or malicious programmers to make 3rd-Party Program X do whatever it feels like doing (3rd-party programs installed to userland should not be able to install any modified OS files whatsoever). Programs that are not drivers, should not be allowed to install at the driver level. If BSD, Unix, Linux, etc can do it, why can't you?

What? You might as well claim that no one should be able to write to /bin or /usr in the unix world. Clearly admins are, as the good old 'rm -rf /' will delete everything, and without warning I might add. They don't need to rewrite the filesystem just to make PF and Windows locked down; running Windows with proper permissions will acomplish the same thing.

Re:The whole "patchguard" concept is bogus

[mabhatter654]

but Microsoft makes an Anti-virus product... i doubt that Windows live will stop production after Vista comes out... so Microsoft has SOME way of integrating AV into the system. If they created an API for security software that didn't need kernel space MS PR would be all over this by now by saying the AV companies "aren't doing it right". But they're not... MS is silent. So the only option is that MS has secret APIs somewhere.. in the kernel or in the OS.. that allow security software to run.

Re:The whole "patchguard" concept is bogus

[sqlrob]

This sounds like what they are doing

Not enough. Do something like the following:
Ring 0 - Kernel, MS signed only
Ring 1 - Drivers
Ring 3 - Userland

Give up on the 2 modes, that's a backward compatibility hack for a port that doesn't exist any more.

Re:The whole "patchguard" concept is bogus

[thejynxed]

Install MS Office, Windows Defender or any other MS app on a clean OS install and you will see exactly what I mean about useless entries/garbage being left over. It isn't just 3rd party vendors who have issue with the Registry, even MS software Devs/Programmers can't seem to get it right.

Re:The whole "patchguard" concept is bogus

[plague3106]

From my understanding, this isn't something Linux does either (drivers aka kernel modules) run in Kernel space too.

Which '2 modes' are you refering to? As far as backward compatibility goes, making it so that every piece of software needs to be rewritten (and many companies are using older software where the vendor doesn't exist) is simply not reasonable. Linux never did this either; they moved to ELF, but to this day it can support A.out binaries as well..

Re:The whole "patchguard" concept is bogus

[sqlrob]

User mode/kernel mode.

User mode software does not need to be rewritten. It doesn't care whether drivers are Ring 1 or Ring 0 (except for things like Sysinternals tools). Only drivers need to be rewritten, and they need to be to support Win64 anyway. Might as well make it a clean break.

...stop the whining

[SammysIsland]

"...But now they force security vendors to bring a knife to a gun fight..."

If you KNOW it's a gun fight, then bring an RPG.

I will never understand the level playing field argument in this situation. Since when is it an OS developer's duty to create an environment that is compatible with the software that is to run on it? I have never heard the argument that Motorola was in violation of antitrust law for creating processors that Windows wouldn't/couldn't run on.

I really don't want to own vista.

[Il128]

I just do not understand why anyone would want to run Vista? What's the advanage? where's the value?

Re:Please get it right

Thanks for the info. I've been referring to it incorrectly for quite some time then it seems.

Jim

I think the point is...

[Eric+Damron]

"...it still angers me that the 'major' pc protection companies can't deal with windows actually securing itself."

I think the point is that Windows IS NOT actually securing itself. If it's easy for black hats to get around it how can it be "Secure?"

I was confused for a sec there

When the story said Window's Patchguard, I thought it might be about a third party app to prevent or control the Windows Update facility. Silly me.

Whaddya mean "black hat"

[Savior_on_a_Stick]

I really doubt that their objection is based at all or in part on any perceived dilemma of being forced into using "black hat" techniques.

Firstly, they haven't really stated what they consider to be a "black hat" technique, though I strongly suspect they mean that they object to actually having to actually develop and maintain code instead of relying on existing redmond-authored api's that provide a spoonfed data conduit.

Symantec's AV/Security products rely on MS' file access api's - as do most other major AV packages.
This means that they inherit all the weaknesses of the underlying win api's. This in turn is why they cannot detect, clean or prevent access to malware which cannot be addressed via the MS api's. I have had one virus and one trojan that Norton could not detect or clean, but which AVG and Kaspersky had no trouble blocking access and tossing into quarantine. Neither relies of MS file access api's in it's scan engine. Is this a "black hat" technique? If so, then black hat techniques are pretty much a requirement for effective security, and Symantec should wise up and get to work.

MS creating their own anti-virii

[orielbean]

Would this be in line with Microsoft producing their own protection software and trying to drive others out of their market share? Sure would be a convenient way to do it, forcing Symantec, et al, to resort to hacking or paying extortion fees for kernel hookins.

Re:Please get it right

The name is Windows, so it would be "Windows's" or "Windows'," not Window's.

How 'bout we just call it what it is:
broken

these third-party companies wouldn't even exist

[ic4x0r]

if it weren't for all the security flaws in Windows. they make their revenue based on the fact that there are security flaws that can be exploited by viruses and spyware. if people randomly stopped making viruses, then these third-party companies would be out of business, too.

Exactly what do you consider difficult?

[computational+super]

using these techniques is not a difficult trick.

You keep using that word. I do not think it means what you think it means.

Re:"using these techniques is not a difficult tric

[giorgiofr]

Yes, and it also prevents lots of well intentioned companies from writing a damn driver for their hardware. If you switch around the API with every point release, your kernel becomes high maintainance and not many (especially small) companies are able to put with that.
Think about this the next time you complain about the lack of drivers for Linux. Sure, some of have are proprietary. Some are never going to be developed because the company couldn't care less. But many other would be developed if only binary compatibility were somewhat guaranteed.

Ahem...

[The+MAZZTer]

...we are forgetting Microsoft has it's own anti-virus software. I'm not saying MS is trying to shut out competition, but that MS wouldn't do this if it would break their own software. They probably have OneCare doing things the "correct" way.

So what we're really saying is...

[giantsfan89]

...in Windows software world, your anti-virus hacks you?

But it's for your benefit?

Perhaps door #3

Windows, on the otherhand, doesn't have that sort of luxary. If MS were to re-write their code so that no previous versions of software would work, and all developers had to start over from scratch and learn new methods to program, it would cause disasterous consequences both for MS, and potentially for the world over.

... or maybe they concurrently develop this new Windows, and offer it as a second OS while the rest of the world gets caught up. Kinda like how the NT line eventually ended the 9x line. I realize that this isnt a perfect example, but if it makes an overall better product, couldnt we support that effort?

Otherwise, chose Linux, the other OTHER white meat!

Host based security is usually a virus

I actually had more problems with Host based security being why my computer doesn't work rather than an actual virus, worm, trojan, or whatever. The cure is worse than the disease. Either it eats up CPU without regard, block network access to legit programs, or destroys my HD. And it's always because the host based products try to hook the kernel with their horribly buggy products. One of my favorite such occurences was the security product that hooked the kernel actually smashed the TCP/IP stack, and the OS had to be reinstalled. No network connections would work. My point, host based security doesn't work, and the algorithms are expensive. It's just not worth it.

Now here is where the host based salesmen tells you that your network IPS system can't see encrypted traffice and you aren't really protected. However, I'm not sure how it could really do what he claims since so much encryption/decryption happens inside the process, and not the OS. VPN connections sure maybe it can see the traffic. But, think about your SSL connections you create in your programs. The OS doesn't know you're encrypting or decrypting traffic. So how will hooking the OS allow your host based agent to see my SSL traffic? You might be able to do some sort of hair brain hooking the processes with DLLs or something like that, but what if the program is in Java, Ruby, or some nonnative language? That technique is limited to only native apps. So actually I think it's just market bull in terms of why you think you need desktop protection.

My answer is the network has plenty of security that is better maintained and updated than the endpoints. Virus scanning happens in the email servers, network protection devices sit inline blocking known security threats, proxies scan http/ftp downloads, and everyone should be behind a NAT router so Windows Firewall is not neccessary. I trust the ISP's or Google to update their virus/security content more frequently than my grandmother. Granny has symantec on her system, but its worthless because Granny on the computer doesn't maintain it. Let the network OPs maintain it, let the network secure itself, and stop trying to put security at every end point which is largely unmaintained. It just doesn't scale and still provide a reasonable amount of protection. Host based security is the biggest chunk of snake oil salesmen ointment.

But do they?

[Mongoose+Disciple]

If I make $100 million by doing something dirty, and I'm fined or have to settle a case for $10 million as a result, did I really lose?

I could be wrong, but I get the impression that a lot of the Microsoft lawsuits go that way. They "lose", but meanwhile, they've crushed their opposition beyond repair, which overall makes them money.

Get over it

[DarkOx]

Look many hear are going to argue that Microsoft is being anticompetitive, and maybe they are or maybe they are not, its not really the point. What is M$ supposed to do?

On the one hand they could make kernel hooks available to vendors and perhaps secure their use with code signing or something. Then the AV companies would be happy; but it would only be moments before some blackhats found away to expoloit the system and make their code look legit. Once it is exploited M$ is again accused (fairly) of producing software that really does not meet resonable security expectations for what it costs and they risk loosing market share.

The other option is lock down lowlevel access as much as possible and keep non M$ code out of kernel space lots of the biggest security problems become much easier to solve and M$ can produce a better product. Now they might sell some enhancements that would be M$ code could run where others can't and that might look unfair but we live with all sorts of other products that discorage after market parts as well. The next obvious question is if the black hats can by pass security why can't the security vendors who can at least count on the person installing the software having root level permissions on the system? Sure you might be playing a game of hide and go patch with M$ breaking stuff all the time but lots of people do that already.

The real story here folks is we don't live in a command economy. If you make something you had better be sure their is a need or want out there for your product. You also need to understand that MARKETS CHANGE if your organization has a single revenue streem you better be developing others or finding new markets for your one product.

If M$ actually succedes is producing a system with pretty good overall security then two things are true, one is that many users decide that additional security software offers too little utility to invest in at any price and two given the number of plays in the security market there would likely be so much supply that prices would have to drop until the less effice firms vacate the market.

Being upset with M$ securing their product as an security software developer would be a bit like a garage owner being upset that auto makers are putting cars out only need tune ups ever 5 years instead of every 5k miles. It might suck to be and security vendor or a garage owner but those are the breaks. Best stop crying and find a way to use your talent for something people will still want you would be better served.

Re:Get over it

[grcumb]

"The other option is lock down lowlevel access as much as possible and keep non M$ code out of kernel space lots of the biggest security problems become much easier to solve and M$ can produce a better product."

Exactly! I mean, that's how BSD and Linux do it... isn't it?

Re:Why do anti-virus applications need kernel acce

[LocoMan]

It's really a catch-22 situation. If MS doesn't provide a way for AV programs to load directly into the kernel, they aren't as effective.... on the other hand, if they do provide a way, that way can (and will) be leaked to that viruses and rootkits use it as well rendering the new security measures useless.

I guess it'll be a wait and see if these measures will work or not... if the kernel security system, coupled with the non admin use, works as intended, then the AV programs won't be an issue to begin with. What I wonder is that they say that the blackhats can bypass it... so, did they find out how? (and more importantly, did they report it to be fixed?)... and how easily?... I mean, if bypassing it depends on actually being on the computer, or getting the user to install an unknown program (inputting his admin password)), I don't see it being much of a deal, since that would be more of an user problem than an OS one.

Re:Microsoft have their own security product - so

[b0s0z0ku]

Nope, Microsoft want to charge you $49.95 for three PCs for a year, other than the free AV products, I don't of any "cheaper alternatives" care to elaborate?

The free AV products. Avast is very good and has actually caught infected files that Symantec ignored on my customers' PCs. I see no reason to pay M$ $50/yr if free products that are likely just as good as *their* software are available.

-b.

Re:Microsoft have their own security product - so

[NSIM]

Agreed, free products are certainly worth exploring, but the implication in the original message (in my opinion) was that Microsoft's solution was more expensive than other commercial solutions like Norton etc which I don't beleive it is.

Don't Drink the Water

[dunng808]

No good. Microsoft will stop supporting them.

Go listen to "Don't Drink the Water" by the Dave Matthews Band (sorry I can't include a link to the audio file, you know how it is, but the text is on-line) and think about how the words apply here. Chilling.

Re:"using these techniques is not a difficult tric

[mabhatter654]

excellent point, most 32 bit processors don't have the process execution flag enabled.. but nearly ALL 64 bit processors have the feature. When vista comes out, all desktop processors will be 64 bit. I believe Core 2 duo desktop is ready. The second clue would be Apple seems to be gearing for 64 bit as well, so intel will be pushing it heavily in the next 6 months. That processor shift could neatly include the TPC and anything else. Most importantly, the cool new media, protected conntent features could be only available to the new 64 bit processors on the new Vista OS. Minimal backward hacking compatiability because older PCs don't have 64 bits or the SEE3 instructions, registers, processor commands to even allow the hacked code to run. Intersting idea.

Re:Microsoft have their own security product - so

[dunng808]

What you defend is classic Microsoft anti-competitive behavior. Charge less, and wait for the competition to abandon that market segment or go under. N-E-T-S-C-A-P-E. Operating "Windows Live OneCare" at a loss is not a problem for Microsoft. They don't rely on it to pay the rent.

Consider this series: "OneCare" -- "MonoCare" -- "Monopoly"

"No more worrying about different versions of your antivirus software."

In other news,,, God gives us BrainGaurd, however

BrainGaurd is new gift from God the prevents diseases from Satan, like Alzheimer's, from taking control of your brain. However, it looks some doctors, reasearchers, and insurance companies now claim to have been locked out of of a big piece of the health industy.

However, BrainGuard does not protect agaisnt all of Satans tricks, like cancer, which still need additional research. One has to wonder why, now that one problem is solved, that these unemployed entities cannot go to work on new/additional problems and are not rejocying that such a big problem like Alzheimer's is cured.

When asked for comments, God said, "I dont understand it, I prevented the problem, nobody gets the disease anymore, why are they unhappy.. I should just re-write the whole thing to be perfect"

Drivers

[Z34107]

If Windows implements an approved kernel hook for the antivirus companies, it will get exploited

Not exactly - Windows Vista breaks a lot of hardware support by forcing most drivers to exist in user mode instead of kernel mode. This keeps the system more stable because a crappy driver running in user won't bluescreen the computer and besides, your printer driver doesn't need to be in ring 0 anyway.

Most antivirus software uses a kernel mode driver to implement "on-access" scans or to see past a user-mode virus trying to cloak itself in some way. It's not that Microsoft isn't implementing a special backdoor hook; they just disallow almost every kind of kernel mode driver in Vista.

Admin

[Z34107]

Administrator accounts in Vista are much better handled than in XP. Even when you're logged on as an administrator in Vista, you run with user priviliges. Should a program actually NEED your admin powers, a little dialog box pops up whenever a program tries to use admin priviliges. (It's a little annoying, but it doesn't happen as often as you'd think and it's much more secure.) When on an strictly userland account, this box also has a prompt for the admin password.

For games and other programs that pretty much scream for administrator access, you can still have it run with admin priviliges like in XP. The Vista build of Internet Explorer 7 also takes advantage of some security tweaks in the kernel that let it run as a super-limited user account - all ActiveX controls spawn as processes of the low-privilege IE7 thread (and inherit IE's restrictions), and all file reads/writes are redirected by the OS to a junk folder. So, even visiting an exploited website with IE while running as an administrator on an unpatched system probably wouldn't result in an infection.

Re:Microsoft have their own security product - so

[NSIM]

I'm not defending it, and the post I responded to was talking about how Microsoft was trying to destroy *less* expensive products. Perhaps you should read the whole thread before responding!

Take It Or Leave It

[jonathansizz]

In all of this, Microsoft forgets the most important thing -- It's my freakin computer! If Microsoft hinders me from getting done what I (remember me? I'm the consumer) want, then I have to reconsider my OS decision -- which I did -- about 5 years ago -- and never looked back.

Exactly. But there's not many who are following you. And Microsoft is well aware of this. They have little motivation to put any real effort into security, as the vast majority of their customers will stay with them no matter what. That's why it's called 'vendor lock-in', after all..

Re:Why do anti-virus applications need kernel acce

[driddle]

It's really a catch-22 situation. If MS doesn't provide a way for AV programs to load directly into the kernel, they aren't as effective.... on the other hand, if they do provide a way, that way can (and will) be leaked to that viruses and rootkits use it as well rendering the new security measures useless.

Well their is a third way run the anti-virus/Trojan/root-kit software from a boot CD that solves all the problems.

I guess it is a little off-topic, but...

[madcow_bg]

... it kind of looks like: we want to take away your privacy/freedom so you could be safer. I mean, not strictly speaking only about MS vendor-locking...

Ok Linux Secuity Admin Options.

Normal secuity level. Light selinux procection on deamons and the like.
Low selinux disabled bad things can happen at this level.
Notice only Normal and low. Can you harm the system as root user .

Preparing for a attack mode. selinux fully on strict mode. Even if loged into root depending on settings root might not be able to reconfigure system. Fully on and locked down only way to reconfigure system is reboot and alter boot loader to put system into Normal or low mode.(hopefully you pull network cable at this point so system is not at risk in low or Normal mode).

And that is using off the shelf linuxs.

There are other things other than selinux that can be added to harden it even more.

The point the secuirty is truely in the hands of the system admins. Windows it is not. Signing of drivers is optional in linux.

Re:Why do anti-virus applications need kernel acce

[Palinchron]

Actually, there is an official way to filter filesystem access in a well-defined manner, and antivirus systems do use them.

However, not all threats are filesystem-based, so this method - on its own - is insufficient. If you want to add an additional protection - such as protect your antivirus processes from tampering - you'll have to hack your way around it, as is frequently done by both antivirus vendors AND blackhats (and Sony, too).

windows has no security from Microsoft

[lpq]

It's not that windows will be secure, exactly, it will still be able to download disabling code from microsoft. Their firewall is transparent to their own software.

Recently, I was forced onto SP2 (new computer, old computer died, even linux won't run on the new system -- doesn't see the SAS Harddisk at all nor the Gigabit Broadcom ethernet; I'm sure it will be supported in 12-18 months :-( ).

But one of the brilliant things I noticed about their "security upgraded XP" was that it seemed to "disable" most of my current security. Now windows goes around the firewall product I have installed. Other software is still blocked. Even MS-sites appear to be blocked, but the WGA-authentication and update routines -- they just go around the firewall.

This is will be the end of user's controlling their machines that run MSed-upOS. The creator of the sysinternals site was being happy about Microsoft adding new "managed" hooks to allow programs to monitor various functions -- but my guess is it's the equivalent of a sucker punch. Vendors switch to the new interfaces to do monitoring, but anything that MS wants to hide will be hidden from their new "hooks".

XP2 also ignores user and computer proxy settings -- it first tries to go direct (around my SW firewall) .. too bad it's on an internal, non-routable subnet. When I complained to MS-support about the update problem, they had me uninstall my firewall software completely -- to download "patches" (not install or download an SP2-upgrade), just the normal "firedrill tuesday".

Then they told me I had to take my computer out of a domain, and wanted me to hook it up directly to the internet so it could go around any checks on their access. Sorry, told them, I wasn't in a position to eliminate the proxy server from the equation (it actually would be a pain, even if I wasn't annoyed by their blatent attempts to circumvent my network security.

Yeah -- great! We can all rely on MS, to keep us safe, because we know they will never download anything harm(WGA)full, that could accidently deactivate our computer. It's such a pain, as well to keep calling them up to get activiation codes...it takes way too much time and I usually get shunted over to a person who tries to grill me about multiple installs. I tell them the truth. If they put out an OS that didn't need reinstallation on a frequent basis, they wouldn't keep getting license hits from the programs I have to reinstall. Idiots.

-l

Really?

[edward.virtually@pob]

It sounds like the 'black hats' will be able to bypass this security feature (which will be in all copies of Vista) but force security software companies to give up developing software for Windows.

What? Microsoft exploit its control of the operating system to destroy competitors? Surely you jest. HA HA HA!

"A laugh can be a very powerful thing. Why, sometimes in life it's the only weapon we have," Roger Rabbit

PatchGuard is NOT security

[Myria]

Despite what everyone seems to think, PatchGuard is not security. It's "security through obscurity", which is not security. If you are a rootkit running in kernel mode, you can patch out PatchGuard. It may be difficult to reverse engineer, but it CAN be defeated. I still think it's a great idea.

The "security" vendors out there have nobody to blame but themselves. For years now they've been installing badly designed "security" software that damages the integrity of the system. This software adds hooks into syscalls that frequently crash the system or make it easy for unprivileged user-mode programs to crash the system. Worse, some of these unintentionally add back doors to the system that allow privilege escalation.

PatchGuard prevents legitimate software developers from doing things they shouldn't be doing. If a legitimate software developer breaks PatchGuard, the next second Tuesday their software will stop working. Meanwhile, rootkits are completely unaffected; they've pwned your system for a month already.

Many people suggest that kernel drivers should need to be signed to solve these problems. This is a terrible "solution" for many reasons. For one, you have to severely restrict user mode in order for it to work. To explain it to UNIX users, "mkfs", "fsck", etc. would have to become kernel programs because otherwise bypassing signature checks becomes easy: overwrite /dev/hda with a hacked MBR and reboot.

Driver signing throws the ability to write kernel software out the window for anyone not able to pay the VeriSign Tax - and only corporations, not individuals, can get such a signing key.

PatchGuard does have one problem from my perspective: you cannot implement features that Microsoft hasn't implemented or has removed. For example, I wanted to make my own NTVDM for Win64 since Microsoft removed it. I found out that it is impossible, because Microsoft removed support for LDTs in Win64. You can't add it yourself with a kernel driver, because you'd need to patch the context switch mechanism - the kernel doesn't have code to switch LDTR values between processes anymore.

Melissa