Slashdot Mirror
Security Firm Bypasses Patch Guard
filenavigator writes, "This week the security firm Authentium found a workaround for Patch Guard, the security feature Microsoft has embedded into the 64-bit version of Windows. It is supposed to keep out unsigned drivers, kernel modifications, and security company competitors. With Authentium's workaround it can be turned off, software installed, and turned right back on. Microsoft immediately responded by saying their reckless ways are endangering the security of Windows users and that they will disable this hack quickly."
I wonder what the implications will be for security: Oh, yes; Windows is already swiss cheese. . . . Dutch Cheese! Now with 100% more holes!
Ninjas and pirates. How piquant.
What's more reckless... writing software with security holes and making its' selling point the high level of security it contains... or discovering an exploit that defies the marketing team?
Yes, Microsoft's reckless ways *are* destroying the security of Windows users.
Necessity is the mother of invention.
If Microsoft hadn't been so assholeish about it, no one would have needed to circumvent their "protections".
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
You left the 'n' out of "defines".
Women are like electronics: you don't know how damaged they are until you try to turn them on.
Rather nice way to say "Thanks, we will fix this right away" eh?
So, the way to achieve this is by changing contents in the pagefile by writing disk sectors directly.
If such an obvious bypass has not been considered, how many other such issues exist that are yet undiscovered?
Then, the supposed 'fix' is to disallow writing raw disk sectors for any non kernel code. This will only work when not allowing for things like disk editors and recovery tools, because those would need ways to bypass this and this just opens up new attack vectors.
To users, security is about protecting the machine from external threats.
To Microsoft, security is about protecting the machine from everyone, including the owner and admin.
To users, security is about protecting the user's personal data and ability to use the machine.
To Microsoft, security is about protecting someone's data (not necessarily the user's) from everyone (perhaps including the user).
To the computer's owner, the machine is entirely their own domain, and exists for their own benefit to maximize their own interests.
To Microsoft, the machine is partitioned and not all of it belongs to the owner, ultimately to maximize Microsoft's interests.
To the computer's owner, their relationship to Microsoft is that the computer owner is the customer.
To Microsoft, their relationship to the computer's owner, is that the owner is both a customer and a product.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
When will people come to the realization that we will never truly create secure technology. Technology is only secure by secure processes, people, and practices.
I keep sitting here hoping... in fact praying (an I'm not a religious guy)... that SOMEBODY gets a court to understand how strongly the antitrust laws could be applied to something like this. Simple Points:
1. Microsoft historically cannot secure it's own operating system.
2. Microsoft wants to charge for securing it's operating system.
3. Microsoft makes it difficult for *others* to secure it's operating system.
Yeesh...
1. Ford historically makes cars that explode.
2. Ford wants to charge extra for a car with "options" that make it not explode.
3. Ford makes it difficult for others to make Ford cars not explode.
Get the gun Gertrude, I'm gonna join with old Uncle Ben.
Another consultant who stuck it out.
"We are the Priests, of the Temples of Syrinx..."
Malicious software and black hats will continue to use the pagefile exploit to overwrite what they need and do what they want, while legitimate software writers get locked out completely. Kind of defeats the purpose...or do you think that MS had a different purpose altogether?
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
The only realistic hope for security through obscurity is if your product never actually comes in contact with a customer. Doesn't matter what kind of black box you put things in - if it comes in contact with a customer, it should not be considered secret or secure.
If you can package it to put it into a black box, someone's either going to open it, poke at it for a response, or figure out how to replace it. And especially with computers, they'll figure out how to use it in a more general way than you intended.
If you cannot accept that your ideas, no matter how big or well-crafted, are just a part of the greater ocean of ideas, then as long as your ideas can be used, your ideas are going to be swept away against your wishes. Until the nature of humanity is changed, that is the nature of the way we deal with ideas (and thus software/hardware). I personally find much more comfort in that dynamic than pain - there are many more ways to use that dynamic rather than fight against the ocean, so to speak.
Ryan Fenton
Seems like MS wants in on Apples game. Make hardware companies pay to have their drivers offically MS approved. Also keep people from using older, obsolete computers. In order to get that next version of windows you'll need a new rig with all the 'taxes' paid up.
Isn't the whole reason for these security companies' existance because of Microsoft's "reckless ways"? Although the notion of a black box kernel can (and I'm sure - will be abused by MS by eliminating DRM circumvention - say goodby to virtual CD drivers), isn't this the only true way of making sure that nothing gets past the kernel? Kudos to MS for plugging this hole.
"If your parents never had children, chances are you wonât either." -Dick Cavett
It would seem to me that backwards compatibility is, once again, a security hole.
[Fuck Beta]
o0t!
The tighter you clench your fist, more bits will slip through your fingers.
Seriously, did they think this wouldn't be broken? This has become a bad joke. Big company uses software to protect their code, rag tag team of coders breaks it, big company throws a hissy fit, we all laugh at and mock the company.
How many more times must this happen before someone at one of these megalithic corporations realizes all they're doing is reinventing the wheel over...and over...and over again?
"Patch Guard ... is supposed to keep out ... security company competitors"
..."
Uhm. Yes. According to -some- security company competitors whose entirely livelihood depends on Windows being as insecure as it is? Certainly not according to Microsoft itself.
"Microsoft immediately responded"
really?
Microsoft doesn't respond anywhere in that article. In fact, page 2 (yes, it's one of THOSE articles) specifically reads:
"Microsoft representatives didn't immediately respond to calls seeking comment on Authentium's move."
So where -did- they respond?
"by saying their reckless
and that whole article doesn't contain the word 'reckless' at all. So where did they say this, again?
Mind you, the article itself is in error when on page 2 it states:
"Next Page: Microsoft defends itself."
And when you get to page 3, you get:
- a symantec spokesperson
- an industry watcher, possibly:
- Andrew Jaquith of Yankee Group
But absolutely no Microsoft. So where is Microsoft defending itself?
Don't get me wrong, I think PatchGuard probably has more holes than a slice of Swiss cheese... but the submitter's text needs redacting, and the original article could do with an -actual- statement from Microsoft.
The whole point of the first article was that Microsoft "fixed" the pagefile workaround! I would have thought you're new enough at here to RTFA!
Anyways, good riddance that this company found another way around...
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
The marketing team promotes the product while having little idea of how it works, its not their job, their job is to sell the product, if anyone is EVER surprised that MS has flaws in its (in)security, well i am at a loss fo words on that one
Vista is a product for MS to eliminate second party software companies of any kind and regain its fast track on a total monoply of the market, it kills MS that users buy antispyware, antivirus, cd/dvd burning and authoring, etc, programs from companies other than ms
as an informed consumer it is our duty to let them know in no uncertain terms what we want and if they arent delivering we will try mac or linux....yet we just keep bending over and say "its up to you if you want to use vaseline before you bone me, AGAIN!
Yeah, sure it is a far fetched conspirational theory. Mods, before you mod it troll or offtopic or wierd or paranoid, take a look at the comments in the code outed by MainSoft. Obsolete version of Windows NT code. But it had numerous comments like, "Private entry point for Jim to get Excel access memory faster". Private entry points, calls that take shortcuts through several application layers and protocols... that is how security holes are made. Such close nexus between application coders and OS coders is the reason why such api-layers are violated.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Page Files... Wow.
I haven't had a machine with one of those in at least 5 years. I also don't have a 5 1/4" floppy drive anymore. Both turn a modern dual-core machine into an Apple ][e class machine.
In all seriousness, why is this even supported in 64bit Vista?
Memory is no longer a constraint in a 64bit system. If you can afford $450+ (widely leaked price) for the non-crippled Vista, you can afford the RAM. And if you're running a server, paging = death, even when using 15k RPM drives.
- Adam L. Beberg - The Cosm Project - http://www.mithral.com/
Either this exploit is already in the wild or you've missed your medication again?
So MS will fix it on the double. If it has already been shipped they will even issue an out of cycle patch like they did for WMP crack. But any security hole that affects only the users and not MS's stranglehold on the market, they will tackle it by waiting till the OS is end of lifed. They they resolve the bug, "OS no longer supported".
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
sure it's not perfect, nothing is, but I find the effort of making patchguard a step in the right direction. Here's the thing, If it were possible to prevent anything but pre-approved code from running in kernel space, there would be basically no need for vendors to hook the kernel in the first place.
/dev/kmem which is a step in the right direction, but it's still not good enough.
Also, a lot of people are really talking it up about how Microsoft sucks and patchguard is just another flawed attempt at security by a company that doesn't know its ass from its elbow (or something to that nature)...but I haven't seen much if any effort by any of the other mainstream OSes to prevent kernel patching at all. It is downright trivial to write a Linux kernel module which hooks all sorts of critical data structures, same with FreeBSD and Solaris.
Is it the argument of the anti-patchguard people that if it can't be done perfectly, lets not even bother?
I guess the major driving point of my being a Microsoft apologist in this case is that, at least from an academic point of view, the kernel is supposed to be the only software which accesses these low level things and abstracts out interfaces for the rest of the software to utilize...the kernel shouldn't be exposing anything like direct disk access, or kernel space memory to user space....ever, under any circumstances. do that and things like rootkits are an awful lot harder to make in the first place.
Some Linux distros are starting to get the point by limiting and sometimes eliminating entirely access to
The way I see it, Microsoft may not be perfect, but at least they are trying.
proxy
It's about two things.
The first and foremost: DRM DRM DRM. If drivers have to be signed and approved by MS, they have to be DRMed.
Second: it means MS doesn't have to worry about little hardware manufacturers and whether or not they will work with Windows. There was a direct quote from an MS bigwig on this... wish I had it.
The slashdot summary says "Microsoft immediately responded by saying their reckless ways are endangering the security of Windows users and that they will disable this hack quickly."
..."
But the article reads differently. "Microsoft representatives didn't immediately respond to calls seeking comment on Authentium's move. O'Donnell said that Authentium has informed Microsoft of its work, and that the software company asked it to abandon the tactic and wait for its new APIs
vi +
According to Sophos, "PatchGuard is a positive step".
This posting itself only provides a direct link to a Sophos article, and does not indicate any opinion on the subject, either of mine or of my employer (whomsoever that may be - which I'm not telling you).
I'm not sure what effect PatchGuard and its related technologies will actually have on security, but they certainly do cause certain hardware configurations to become unusable and confiscate a great deal of power in Microsoft's hands. I wanted to experiment with an M-Audio Delta 1010LT pro audio card on Vista 64-bit, but M-audio hasn't released any signed drivers for that particular card and has stated that they will not do so until Vista is officially shipped. Theoretically, it shouldn't have been possible for me to install the 64-bit XP drivers in their place, and it actually wasn't without some hacks. However, the necessary hacks are laid out in great detail in a public MSDN document and actually automated by some scripts in the latest Windows DDK: http://www.microsoft.com/whdc/system/platform/64bi t/kmsigning.mspx I just followed MS' tutorial on disabling driver signature enforcement and had the XP 64-bit drivers installed in about an hour, after self-signing them using automated tools. So, I'm skeptical of the strength of these new security measures. By the way, the XP drivers didn't work after all. :-)
The old overwriting a kernel mode driver (like null.sys) code while in the swapfile thing is hardly news. The solution being not swapping those kernel parts (requiring ~80MB RAM more), or disabling user-mode direct access to the HD (which I believe they will do).
Old news. Actually, I'm pretty sure this is a dupe, but I haven't RTFA, so perhaps this is a new twist on it...
This is why God invented ambiguous references:
Microsoft immediately responded by saying their reckless ways are endangering the security of Windows users
Finally, admission of guilt.
Same way it would have been reckless to point out the iceberg to the captain of the Titanic.
Weaselmancer
rediculous.
Perhaps this link was added to the slashdot summary after you posted your comment for all I know, but the slashdot summary that I read had two links, and I found that statement quite clearly after following the first link. About the 13th paragraph down in that article states, complete with the additional link that I've included here:
So no points for grammar in that sentance (which I copied verbatim), but it seems to explain quite clearly what the Microsoft criticism is. That second linked article begins with the paragraph:
...and goes on for quite a while. Is this the statement you meant?
>>Microsoft immediately responded by saying their reckless ways are endangering the security of Windows users and that they will disable this hack quickly
hmm... i wonder if they plan to enable it in the near future.. seems odd why they wouldn't remove it completly. not that it would benifit anyone at all.
Being a fellow 'blessed' microsoft team member, all he has to do is walk across the hall, and ask that his wonderful application gets the 'fast lane access' to the file system.
You know there will be provisions for THEIR apps to do such a thing since they are 'trusted', but deny others the same direct access 'for your security' .
---- Booth was a patriot ----
lol...that wasn't a summary, that was a quote from the article! How can quoting the article be a "biased summary"?
Two things. First of all, there are other exploits that allow the installation of unsigned drivers. As far as I know (but I'm not the expert in that field), they have not been fixed so far. They have also not been published so far.
It's sensible to assume that they will be used instead.
The battle for system security is up, and this time it's not MS and its users against the malware writers. It is MS against its users, and users against malware authors. Yes, I did not forget about the tangent of MS against malware.
It is not there. The reason is simple: Malware will be mainly using hacked systems (read on for details). So it simply isn't the problem of MS. Their "locked" machines are secure, the users that are infected did crack it, so MS is out of liability. Case closed for MS.
The problem is that the main beneficiary is the malware author. MS will lock the machine. The users will crack it (yes, that's a "will", without a "try to" following). Most users don't have a clue how that works, granted, but you can rest assured that there will be dummy-compatible packages available. Malware will run mostly on cracked machines, simply because there will be enough of them, and they're easier to infect. The infected user, in turn, can not turn to his peers for help, because he already did break the law in the first place. Helping him would incriminate their aide, too, so any net based help is definitly out. At best you could try to get aid from your local computer guru, who'd better be a security expert and loves you enough to be your partner in crime.
In other words, the amount of fixed machines will be incredibly small. And given that reinstalling is not a trivial matter, since you'll have to crack the system again (and most affected people will need aid in that, too), few will go through the ordeal and simply live with the trojan.
Security companies will not be able to help either, simply because they have to obey the law, cannot use the exploits to get the malware into the machines and are thus stalled outside and locked out. You cannot even sensibly dissect and analyse malware anymore, since you'd have to use a hacked machine to do just that, which, in turn, is not legal.
In a nutshell: We'll have a lot more infected, unpatched and generally insecure machines than ever. We're approaching a golden age for malware writers.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Did you visit both articles? If so, you would have noticed that the IntelliAdmin.com article sources an eWeek article written by Matt Hines. eWeek's Matt Hines, in case you missed it, said "Microsoft representatives didn't immediately respond to calls seeking comment on Authentium's move." in the earlier of their two articles.
So, yes, involving a second website in order to get an anti-Microsoft quote is indeed a biased summary.
GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
This is interesting and all, but not what was posted, that I responded to. The title, "Biased summary", and the text, "It is supposed to keep out unsigned drivers, kernel modifications, and security company competitors." Which is in the summary, but is a quote from the article. Hence, the quote was not indicating a biased summary, but rather the quote was indicitave of the rest of the article.
This was followed by the sig, "The sun is hot! Water is wet! Slashdot summary is biased! News at eleven."
I "lol"-ed at the fact that the anon coward used a direct quote to indicate a bias in the summary. "Quite quoting exactly what I say, or I'll call your reporting biased!"
While you are totally offtopic, still...WTF are you trying to say?
"Microsoft representatives didn't immediately respond to calls seeking comment on Authentium's move." That was indeed on the second page of the first article, whose title was: "Security Vendor Bypasses Microsoft's Vista PatchGuard", and which was *not* part of the slashdot article.
Rather, the followup article the next day was linked in the IntelliAdmin.com article, using the phrase "Microsoft immediately responded with a angry attack stating that that the hack harmed windows users by reducing the security of Windows." This link was to an article titled "Microsoft Decries Vista PatchGuard Hack".
First, your quote is a day late and therefor offtopic. It is distracting and I assume that is why you made it. Second, quoting a hyperlink that the article in question uses is hardly "involving a second website to get..." anything. That is an accurate summary of the article, because that is what the article did, and how the article described it.
If you wanted to say the article was biased, you could have tried. But you didn't. You seem to want to say the summary is biased, because you don't like what the article says. *shakes head*
"This week the security firm Authentium found a workaround for Patch Guard, the security feature Microsoft has embedded into the 64-bit version of Windows."
Anything that highlights one of the many flaws in a typical Microsoft (In)security feature should not be considered an a mere exploit or even a workaround, but rather a tremendous public service! When said public service enables the installation of real security features (as opposed to the buggy bloatware which Microsoft Hype(tm) labels a "security feature"), Microsoft should not be allowed to use its monopoly power to silence or eliminate the very worthy competition. Of course the latter goal, getting rid of competitors, not protecting its users, is the real objective of Microsoft's attempted lock down of its 64-bit Windows kernel.
One of the principles of any good security scheme is that it is not dependent on obscurity. If Microsoft was truly confident of its code, it would make the code open source. In reality, Microsoft is quite aware of how lame its code is and knows that even without seeing the source, other people are making an honest living delivering fixes for Microsoft's blunders. Hence, Microsoft tries to exclude the competition by preventing their products from working.
In the area of computer security, perhaps more than anywhere else, Microsoft is working very hard to lower the bar in order to increase its profits at the expense of ordinary users. I, for one, do not trust Microsoft. Just look at the spyware known as Windows Genuine Advantage (WGA) notification that Microsft tried to foist upon the unsuspecting masses. Informed people refer to it as Windows Genuine Disadvantage...
I want someone with a vested interest in pointing out the glaring design flaws, numerous bugs, and generally feeble nature of the so-called security features in Microsoft's products to be able to implement effective solutions that protect the users of Microsoft products from malware, crackers, and (hopefully) Microsoft itself.
Fighting for Truth, Justice, and Stupendous Karma,
Fractalzone
"You're young, you're drunk, you're in bed, you have knives; shit happens." -- Angelina Jolie
I've been running windows xp pro X64 for some time without any of these issues. This is a 'Bonus Item' M$ has included/inflicted on Vista...
errr....umm...*whooosh* *whoosh* Is this thing on ?
right on brotha.. how can a news source claim to be responsible unless they are. I think slashdot has earned the responsibility of being a respectable source of journalism based on its large subscription reader base. poor use of the " mark.
Indeed, there was but one link (the original article seems to have additional references now as well).
I think I'm still looking for the statement about something being quote reckless unquote, though. Saying that they are unhappy (duh), and that user's might find themselves in a pickle if relying on a product which uses a method that will be rendered defunct soon (or already is, according to that article you linked to), is hardly saying that Authentium was being reckless and endangering Windows security and whatnot.
In terms of redacting, the blurb should have at least pointed to the article you linked to on that last link, as the wording in that link suggest that Microsoft's response is to be found in the article linked to; which it is not.
Right, I'm sulking now ;p
"None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
Microsoft immediately responded by saying THEIR reckless ways are endangering the security of Windows users by not disabling the hack before release?
There is no reason for that to be true. Locking out old drivers doesn't provide security, nor would allowing them have to lessen security. The only reason Microsoft is requiring signed drivers is for DRM.
So how is it that the other companies' reckless ways are endangering users? Let me see if i have this straight: step 1: MS makes OS with a security hole step 2: 3rd party company discovers security hole and publishes step 3: MS reprimands them for uncovering the hole Why is it step 2's fault!? It would have been discovered eventually anyway by hackers, isn't it better that a company discovers it and allows microsoft to know? analogy: step 1: NASA builds rocket with fatally flawed engineering step 2: 3rd party company examines shuttle and finds flaws step 3: NASA reprimands 3rd party for finding flaw and endangering crew sound like a fair comparison?