Slashdot Mirror
Windows' Patchguard Hinders Security Vendors
eldavojohn writes "Windows' PatchGuard seems to be upsetting third party security vendors such as Symantec, Sana Security and Agnitum. It sounds like the 'black hats' will be able to bypass this security feature (which will be in all copies of Vista) but force security software companies to give up developing software for Windows. From the article: 'PatchGuard will make it harder for third parties, particularly host intrusion-prevention software, to function in Vista,' said Yankee Group analyst Andrew Jaquith. 'Third parties have two choices: continue to petition Microsoft to create an approved kernel-hooking interface so products like theirs can work, or use "black hat" techniques to bypass the restrictions.' Apparently, using these techniques is not a difficult trick."
"Oh noes, windows has security! What'll we do?"
C'mon, get a grip. Despite the fact that this is a dupe, it still angers me that the 'major' pc protection companies can't deal with windows actually securing itself. They would actually consider using blackhat techniques instead of the provided methods? They'd be fools, too. Any blackhat technique they use would be immediately patched by Microsoft. Doesn't take a genius to see that.
"If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
Does this mean there will be a new day of the week devoted to patching the patchguard?
Where were you when the voynix came?
"Window's PatchGuard" should be an optional feature. If you dont' want to use it, (like me!), you should be able to NOT include it when installing etc. Being able to do what you want is the best way, forcing users only pisses them off.
I remember something about the entire kernel becomming a "protected process" under an MS implementation of TCPA/TCG/Palladium/(insert name of the week meant to spoof drm watchers here).
This was meant to be an "effective" means to stop viruses, but it served more to force licensing fees out of companies which provide security solutions and to stop independent tinkerers (also known as "good" hackers) from providing cool kernel mods for power users.
VLC FOR MAC IS DYING! IF YOU DEVELOP, PLEASE SAVE IT!!
Apparently microsoft thinks that its security measures are good enough that you dont need antivirus to protect you.
What? Did you run out of kayak stories ??? What sort of place is this anyway ?
It is fascinating that TFA explains how if a boot routine can initialize a "debugger attached" flag, the PatchGuard system is not initialized. From this aspect alone, I'd say MS should start playing more nicely with the vendors, since any malicious code worth it's salt should set this value permanently and then replace kernal routines on disk as necessary.
Also, given the fact that MS intends to making patching the standard for releasing a secure OS, the vendors can't really do this kernal checking themselves. Thus, I think it's safe to say from the perspective of this article, the OS's kernel is patchable by anyone.
Um, how is this security if its easily bypassed? Isn't the point behind any security layer to make it so nobody can bypass it? Seems to me that if its that easy to circumvent, Microsoft is just spinning its wheels, and there will be plenty of market for companies like Symantec/McAffee to compete in. Its not like the virus/trojan/malware writers give a single shit about any layer of security that they can bypass. Easily.
Symantec should be glad that Vista will have this ineffective security layer, so they can sell software to patch it.
A few years ago in office 2000 Microsoft dictated what attachments you could receive and what you could not. It sounds like Microsoft is attempting to create a business model of "If you want security you get it from us." and "We know better, you do it our way." Does the phrase duck and cover mean anything to anybody?
-- I am the NRA, enough said...
1) Company creates horribly insecure OS.
2) New multi-billion $$ industry sprouts for the sole purpose of securing said OS.
3) Insecure OS company institutes blatantly obvious absolutely worthless security "features".
4) No longer new multi-billion $$ industry complains because new BS security measures are worthless & the new features steal their pennies.
4.5) Linux zealot chimes in on how these issues are not issues under their chosen OS.
5) Horribly insecure OS company forms new multi-billion $$ industry to secure their horribly insecure OS in a proprietary fashion.
6) Balmer covers the $1 he owes Gates for the bet they made on whether or not they can steal the billions from the industry that wouldn't exist had it not been for them & their lax attitude toward secure coding practices while blaming the whole fiasco on Google & Linux all the while creating a brand spanking new completely worthless multi-billion $$ proprietary industry. (Thank you Mortimer, er I mean Balmer)
Certificates of trust already exist in Windows. They're used by web browsers. It would be trivial to use the code that is already present to check for a valid certificate. The second layer of protection - requiring the user/IT department to countersign the patch - would make transparent breakins much harder. Not impossible, but definitely much harder.
Of course, this is all pointless these days, anyway. All a rootkit writer has to do is develop a mini hypervisor or hijack one already in use. For zombies, viruses, etc, you'd then have the externally-visible interfaces in the OS and everything else concealed outside. BIOS viruses could also be quite lethal, as they too would bypass this protection. Far too low a level for the OS to detect. These days, with graphics processors essentially being parallel CPUs, I'm surprised nobody has put a virus on the graphics card. If the PCI is multi-mastered (not uncommon on higher-end machines), then the card could control all the other devices without going through the OS at all, giving a virus that could inhabit that space ABSOLUTE power over the machine.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
"-Make programs have an .EXE extension to execute! No more .SCRs, for example. They're getting worse rather than better about this; I downloaded the AOL antivirus to try it out (OT rant about it follows) and the download had a .MSI extension. It confused me for a minute; is this like .ISO when it's really not an ISO but you have to rename it to get through the firewall? No, it just ran, and installed AOL's software."
Every GUI OS understands the concept of file -> application mappings. Most use file extenstions as one method of performing the mapping. MSIs are mapped to the Microsoft Installer application. There's nothing malacious or secret going on there. Or are you really stupid enough to open notepad and using the menu to open a text file instead of just double-clicking the file directly?
If Microsoft intends to have its own anti-virus software/mechanism they must feel they're capable of doing this without the kernel hooks requested by Norton and ilk. The only thing I would take issue with is if Microsoft uses an undocumented API in order to get an unfair advantage over the third party vendors. When that happens, wake me up and I'll get back up on my anti-Microsoft $oapbox. Until then... bleh.
Check out my lame java blog at www.javachopshop.com
Windows Live OneCare service?
Many people knock windows for being insecure, but it's not like Microsoft WANTS it to be that way. No, the people who want it to be that way are the "security" companies. Anti-virus companies have profitted from security flaws and viruses alike for many years now, and it has begun a rather booming business and the focal business model for companies like McAffee and Symantec. These companies have a vested interest in maintaining security flaws and the propagation of virues out on the internet.
Lets say the un-imaginable does happen: Windows impliments some radical change to secure the OS. What happens to these companies? They stand up and try and present themselves as our saviours against these "evil black hats" but aren't they the ones with the most to gain from the current business model? By making windows secure, they will effectively end a decade long business model for these security companies by making them obsolete. Thats a good thing for users, but a bad thing for them.
I find it appalling that they would consider Microsoft taking steps to secure their OS as being "anti-competetive" in nature. The "security" market in this case exists only due to flaws and vulnerabilities in Windows. Flaws, which Microsoft has stated time and time again they are trying to correct.
I think people underestimate the task put forth before Microsoft in making windows secure.
Take a look at MacOS. Crashed alot, lots of security flaws and viruses for being such a small marketshare at the time. Apple realized the problem, and understood that constantly applying bandaids to a broken OS wasn't working. They re-did the entire OS to get OSX. The problem, of course, is no OS9- programs run natively in OSX. They had an emulator for awhile, and alot of people struggled with the transition. Like a catapiller to a butterfly, they were reborn in a more evolved state.
Windows, on the otherhand, doesn't have that sort of luxary. If MS were to re-write their code so that no previous versions of software would work, and all developers had to start over from scratch and learn new methods to program, it would cause disasterous consequences both for MS, and potentially for the world over. Best case scenario would be apple releasing OSX x86 on non-apple hardware and taking over the entire market. This, of course, would be the virtual end of MS, which they have no desire to do.
Microsoft is faced with trying to secure a broken OS, without actually starting over (which isn't an option) or breaking the ability of developers to make software for the platform. I'd be curious (as I imagine MS would be too) if anybody can come up with a real solution to the problem? And if you can, can you do it while still allowing the current "security" companies to continue to cash-cow the general public?
If PatchGuard was optional, the first thing malware would do after getting into your computer is turn it off. (Of course, this is only a problem for people who want it turned on.) The only solution is to make security that can't be turned off.
The whole "PatchGuard" concept shows how broken Microsoft's approach to an OS has become. The whole concept is to catch changes made by programs which already have full access to kernel space. By checking every five or ten minutes for a change, no less. That's inherently a futile exercise. It may break some current exploits, but it won't break new ones. Any program that has access to kernel space can take over the machine. It could load a whole new OS if it wanted to.
The whole concept of add-on programs having access to kernel memory is so insecure that it has to go. UNIX and Linux limit it to loadable drivers, and the serious microkernels like QNX and IBM's VM don't allow it at all. But the Microsoft world, mostly for historical reasons, has all sorts of crap running with access to kernel memory, from various "security programs" to game DRM components. All that crap should have been taken out in Vista. The fact that it wasn't indicates how minor a change at the kernel level Vista is over XP.
if it weren't for all the security flaws in Windows. they make their revenue based on the fact that there are security flaws that can be exploited by viruses and spyware. if people randomly stopped making viruses, then these third-party companies would be out of business, too.