Slashdot Mirror

← Back to Stories (view on slashdot.org)

Windows' Patchguard Hinders Security Vendors

Posted by ryuzaki0 on from the only-game-in-town dept.

eldavojohn writes "Windows' PatchGuard seems to be upsetting third party security vendors such as Symantec, Sana Security and Agnitum. It sounds like the 'black hats' will be able to bypass this security feature (which will be in all copies of Vista) but force security software companies to give up developing software for Windows. From the article: 'PatchGuard will make it harder for third parties, particularly host intrusion-prevention software, to function in Vista,' said Yankee Group analyst Andrew Jaquith. 'Third parties have two choices: continue to petition Microsoft to create an approved kernel-hooking interface so products like theirs can work, or use "black hat" techniques to bypass the restrictions.' Apparently, using these techniques is not a difficult trick."

14 of 187 comments (clear)

  1. Oh noes! by Aladrin · · Score: 5, Insightful

    "Oh noes, windows has security! What'll we do?"

    C'mon, get a grip. Despite the fact that this is a dupe, it still angers me that the 'major' pc protection companies can't deal with windows actually securing itself. They would actually consider using blackhat techniques instead of the provided methods? They'd be fools, too. Any blackhat technique they use would be immediately patched by Microsoft. Doesn't take a genius to see that.

    --
    "If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
    1. Re:Oh noes! by gstoddart · · Score: 4, Insightful
      C'mon, get a grip. Despite the fact that this is a dupe, it still angers me that the 'major' pc protection companies can't deal with windows actually securing itself. They would actually consider using blackhat techniques instead of the provided methods?

      Well, history tells us that the likelihood of Windows actually securing itsself is pretty slim.

      If they could use black hat techniques, then it wouldn't be secure now, would it?

      Having said that, it's a catch-22. If Windows implements an approved kernel hook for the antivirus companies, it will get exploited. If they don't, then no antivirus software, but just as many virus writers.

      Wether or not Microsoft is going to help 3rd parties sell software to secure Windows, there will be people doing the same things they do now. Except in that case, the consumer is on their own and waiting for Microsoft to stop them from getting pwn3d.

      Cheers
      --
      Lost at C:>. Found at C.
    2. Re:Oh noes! by Jimmy+King · · Score: 4, Interesting
      "Oh noes, windows has security! What'll we do?"

      C'mon, get a grip. Despite the fact that this is a dupe, it still angers me that the 'major' pc protection companies can't deal with windows actually securing itself. They would actually consider using blackhat techniques instead of the provided methods? They'd be fools, too. Any blackhat technique they use would be immediately patched by Microsoft. Doesn't take a genius to see that.
      Part of the commplaint, though, is not just that they cannot provide proper security software for it but that MS' solution isn't actually providing any security. What they are saying is that this "security" feature makes it pretty much impossible to properly/legitimately do their job, but doesn't actually stop a good many of the techniques that hackers use.

      Whether MS' technique works or not, it's bad for us as it limits our choices.

      Of course I'm sure neither of these is a concern to symantec, only that they'll make less money, but they are still valid arugments to consider.
    3. Re:Oh noes! by Fordiman · · Score: 4, Interesting

      Does anyone else smell a new monopoly suit?

      Microsoft moves into system security (with their firewall, spyware tool, and I think they recently bought an AV company), and then sets up a 'security' feature that just happens to block out their competitors?

      Yeah... that smells pungent to me.

      --
      110100 1101000 1101000 1100110 0 1101111 1101000 1100011 1
    4. Re:Oh noes! by Nigel_Powers · · Score: 5, Insightful

      Don't kid yourself...this is NOT a case of Windows securing itself -- this is revenue protectionism at its best. Microsoft is actively trying to make third-party security vendors a thing of the past.

      In all of this, Microsoft forgets the most important thing -- It's my freakin computer! If Microsoft hinders me from getting done what I (remember me? I'm the consumer) want, then I have to reconsider my OS decision -- which I did -- about 5 years ago -- and never looked back.

    5. Re:Oh noes! by phasm42 · · Score: 4, Insightful

      To add to your point, customers won't care when their viruses/malware break, but they will care when the security software they paid for breaks. It could also discourage people from applying updates, out of fear it will break their security software.

      --
      "No one likes working in a hamster wheel, and your shop smells of cedar shavings from here." - TaleSpinner
    6. Re:Oh noes! by myowntrueself · · Score: 4, Interesting

      The fact that you can't do anything in Windows without being the admin has always been a major source of problems.

      I agree, but theres no *point* in doing anything in Windows without being admin.

      There is no point in running Windows as a non-priviledged user.

      If you doubt my word, log into your favorite Windows as your unpriviledged user and set up a scheduled task to run cmd.exe

      When the scheduled task runs and you get a command window try and see what you *cannot* do on the system...

      (I used to put a great deal of effort into running as an unpriviledged user; I spent hours trying to get games to run without having to be Admin. It seems that I totally wasted my time. Thanks, Bill.)

      --
      In the free world the media isn't government run; the government is media run.
  2. does this mean... by krell · · Score: 5, Funny

    Does this mean there will be a new day of the week devoted to patching the patchguard?

    --
    Where were you when the voynix came?
  3. Should be an optional feature. by DNX+Blandy · · Score: 5, Insightful

    "Window's PatchGuard" should be an optional feature. If you dont' want to use it, (like me!), you should be able to NOT include it when installing etc. Being able to do what you want is the best way, forcing users only pisses them off.

    1. Re:Should be an optional feature. by cyber-vandal · · Score: 4, Insightful

      Yes you could just run your software on one of the many other Windows compatible OSes out there. Oh wait....

  4. Why does this sound familiar? by plasmacutter · · Score: 4, Insightful

    I remember something about the entire kernel becomming a "protected process" under an MS implementation of TCPA/TCG/Palladium/(insert name of the week meant to spoof drm watchers here).

    This was meant to be an "effective" means to stop viruses, but it served more to force licensing fees out of companies which provide security solutions and to stop independent tinkerers (also known as "good" hackers) from providing cool kernel mods for power users.

    --
    VLC FOR MAC IS DYING! IF YOU DEVELOP, PLEASE SAVE IT!!
  5. Re:Why would microsoft bother? by AugustZephyr · · Score: 4, Funny

    Apparently microsoft thinks that its security measures are good enough that you dont need antivirus to protect you.

  6. Debugger Disables by mugnyte · · Score: 5, Interesting

    It is fascinating that TFA explains how if a boot routine can initialize a "debugger attached" flag, the PatchGuard system is not initialized. From this aspect alone, I'd say MS should start playing more nicely with the vendors, since any malicious code worth it's salt should set this value permanently and then replace kernal routines on disk as necessary.

    Also, given the fact that MS intends to making patching the standard for releasing a secure OS, the vendors can't really do this kernal checking themselves. Thus, I think it's safe to say from the perspective of this article, the OS's kernel is patchable by anyone.

  7. Re:Why would microsoft bother? by jd · · Score: 5, Interesting
    The obvious answer would be for Microsoft to define a well-known API for security software, where the entry-point for that set of functions is damn-near impervious. (A simple example - require that all software using such an API be digitally signed by a trusted vendor and counter-signed by the registered owner of the software. In a corporate setting, this would mean that patches would need to be signed off on by the IT department. In the home setting, users would have to specifically state that they approve that level of access for the software.)


    Certificates of trust already exist in Windows. They're used by web browsers. It would be trivial to use the code that is already present to check for a valid certificate. The second layer of protection - requiring the user/IT department to countersign the patch - would make transparent breakins much harder. Not impossible, but definitely much harder.


    Of course, this is all pointless these days, anyway. All a rootkit writer has to do is develop a mini hypervisor or hijack one already in use. For zombies, viruses, etc, you'd then have the externally-visible interfaces in the OS and everything else concealed outside. BIOS viruses could also be quite lethal, as they too would bypass this protection. Far too low a level for the OS to detect. These days, with graphics processors essentially being parallel CPUs, I'm surprised nobody has put a virus on the graphics card. If the PCI is multi-mastered (not uncommon on higher-end machines), then the card could control all the other devices without going through the OS at all, giving a virus that could inhabit that space ABSOLUTE power over the machine.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)