Slashdot Mirror
Security Firm Bypasses Patch Guard
filenavigator writes, "This week the security firm Authentium found a workaround for Patch Guard, the security feature Microsoft has embedded into the 64-bit version of Windows. It is supposed to keep out unsigned drivers, kernel modifications, and security company competitors. With Authentium's workaround it can be turned off, software installed, and turned right back on. Microsoft immediately responded by saying their reckless ways are endangering the security of Windows users and that they will disable this hack quickly."
"Patch Guard ... is supposed to keep out ... security company competitors"
..."
Uhm. Yes. According to -some- security company competitors whose entirely livelihood depends on Windows being as insecure as it is? Certainly not according to Microsoft itself.
"Microsoft immediately responded"
really?
Microsoft doesn't respond anywhere in that article. In fact, page 2 (yes, it's one of THOSE articles) specifically reads:
"Microsoft representatives didn't immediately respond to calls seeking comment on Authentium's move."
So where -did- they respond?
"by saying their reckless
and that whole article doesn't contain the word 'reckless' at all. So where did they say this, again?
Mind you, the article itself is in error when on page 2 it states:
"Next Page: Microsoft defends itself."
And when you get to page 3, you get:
- a symantec spokesperson
- an industry watcher, possibly:
- Andrew Jaquith of Yankee Group
But absolutely no Microsoft. So where is Microsoft defending itself?
Don't get me wrong, I think PatchGuard probably has more holes than a slice of Swiss cheese... but the submitter's text needs redacting, and the original article could do with an -actual- statement from Microsoft.
What could you possibly be talking about? Direct disk access means bypassing the filesystem and reading and writing to the sectors directly. This requires administrator privileges for good reason: it bypasses file security, file locks and all the other nice things that filesystems do. No user application requires the ability to bypass the filesystem. Don't you need to be root to access a mounted block device on a UNIX? It's the same thing. The fact that it's possible to modify the kernel when you have admin privileges (and physical access for that matter) is hardly suprising, and in fact is unfixable (short of full TCPA).
PatchGuard is only there to discourage apps that hook the syscall table (an inherantly unsafe operation) and make other modifications to the kernel's private, volaitle internal interfaces. When Windows NT was written, the MS devs never expected 3rd party devs to go poking around with the kernel's private interfaces, and are rightly disgusted when those 3rd party software programs cause problems because of it. Compare this to Linux: you are free to maintain your own custom build of the kernel, but in the mainline, all the kernel interfaces are so volaitle, every minor revision is binary incompatible with the rest. You'd never get a device driver accepted into the mainline if it depended on private interfaces that break every revision, even on a source level. Microsoft is well within their prerogative to make changes the Windows kernel's internal, private interfaces. This doesn't work too well when 3rd party apps are dependent on them never changing, especially when Windows crashes because of it. PatchGuard is a technical speed bump to make it harder for 3rd party software companies to screw with the kernel's internals. Microsoft knows that it's an unwinnable arms race, but hope that the 3rd parties will decide it's just easier to stick to the kernel's public interfaces. Microsoft is willing to create new stable public interfaces to support the necessary behavior.
The only thing I can think of that you might be talking about for reduced performance is if you meant no intermediate buffering when you said "direct disk write". The FILE_FLAG_NO_BUFFERING and FILE_FLAG_WRITE_THROUGH buffering options are unrelated to direct disk access (which actually means bypassing the filesystem to access the block device directly). Write through and unbuffered IO aren't going anywhere.
As for special hooks that MS applications get into the OS that no one else gets, how about an actual example?