Slashdot Mirror

← Back to Stories (view on slashdot.org)

Windows' Patchguard Hinders Security Vendors

Posted by ryuzaki0 on from the only-game-in-town dept.

eldavojohn writes "Windows' PatchGuard seems to be upsetting third party security vendors such as Symantec, Sana Security and Agnitum. It sounds like the 'black hats' will be able to bypass this security feature (which will be in all copies of Vista) but force security software companies to give up developing software for Windows. From the article: 'PatchGuard will make it harder for third parties, particularly host intrusion-prevention software, to function in Vista,' said Yankee Group analyst Andrew Jaquith. 'Third parties have two choices: continue to petition Microsoft to create an approved kernel-hooking interface so products like theirs can work, or use "black hat" techniques to bypass the restrictions.' Apparently, using these techniques is not a difficult trick."

5 of 187 comments (clear)

  1. Debugger Disables by mugnyte · · Score: 5, Interesting

    It is fascinating that TFA explains how if a boot routine can initialize a "debugger attached" flag, the PatchGuard system is not initialized. From this aspect alone, I'd say MS should start playing more nicely with the vendors, since any malicious code worth it's salt should set this value permanently and then replace kernal routines on disk as necessary.

    Also, given the fact that MS intends to making patching the standard for releasing a secure OS, the vendors can't really do this kernal checking themselves. Thus, I think it's safe to say from the perspective of this article, the OS's kernel is patchable by anyone.

  2. Re:Oh noes! by Jimmy+King · · Score: 4, Interesting
    "Oh noes, windows has security! What'll we do?"

    C'mon, get a grip. Despite the fact that this is a dupe, it still angers me that the 'major' pc protection companies can't deal with windows actually securing itself. They would actually consider using blackhat techniques instead of the provided methods? They'd be fools, too. Any blackhat technique they use would be immediately patched by Microsoft. Doesn't take a genius to see that.
    Part of the commplaint, though, is not just that they cannot provide proper security software for it but that MS' solution isn't actually providing any security. What they are saying is that this "security" feature makes it pretty much impossible to properly/legitimately do their job, but doesn't actually stop a good many of the techniques that hackers use.

    Whether MS' technique works or not, it's bad for us as it limits our choices.

    Of course I'm sure neither of these is a concern to symantec, only that they'll make less money, but they are still valid arugments to consider.
  3. Re:Why would microsoft bother? by jd · · Score: 5, Interesting
    The obvious answer would be for Microsoft to define a well-known API for security software, where the entry-point for that set of functions is damn-near impervious. (A simple example - require that all software using such an API be digitally signed by a trusted vendor and counter-signed by the registered owner of the software. In a corporate setting, this would mean that patches would need to be signed off on by the IT department. In the home setting, users would have to specifically state that they approve that level of access for the software.)


    Certificates of trust already exist in Windows. They're used by web browsers. It would be trivial to use the code that is already present to check for a valid certificate. The second layer of protection - requiring the user/IT department to countersign the patch - would make transparent breakins much harder. Not impossible, but definitely much harder.


    Of course, this is all pointless these days, anyway. All a rootkit writer has to do is develop a mini hypervisor or hijack one already in use. For zombies, viruses, etc, you'd then have the externally-visible interfaces in the OS and everything else concealed outside. BIOS viruses could also be quite lethal, as they too would bypass this protection. Far too low a level for the OS to detect. These days, with graphics processors essentially being parallel CPUs, I'm surprised nobody has put a virus on the graphics card. If the PCI is multi-mastered (not uncommon on higher-end machines), then the card could control all the other devices without going through the OS at all, giving a virus that could inhabit that space ABSOLUTE power over the machine.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  4. Re:Oh noes! by Fordiman · · Score: 4, Interesting

    Does anyone else smell a new monopoly suit?

    Microsoft moves into system security (with their firewall, spyware tool, and I think they recently bought an AV company), and then sets up a 'security' feature that just happens to block out their competitors?

    Yeah... that smells pungent to me.

    --
    110100 1101000 1101000 1100110 0 1101111 1101000 1100011 1
  5. Re:Oh noes! by myowntrueself · · Score: 4, Interesting

    The fact that you can't do anything in Windows without being the admin has always been a major source of problems.

    I agree, but theres no *point* in doing anything in Windows without being admin.

    There is no point in running Windows as a non-priviledged user.

    If you doubt my word, log into your favorite Windows as your unpriviledged user and set up a scheduled task to run cmd.exe

    When the scheduled task runs and you get a command window try and see what you *cannot* do on the system...

    (I used to put a great deal of effort into running as an unpriviledged user; I spent hours trying to get games to run without having to be Admin. It seems that I totally wasted my time. Thanks, Bill.)

    --
    In the free world the media isn't government run; the government is media run.