Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Firm Bypasses Patch Guard

Posted by ryuzaki0 on from the routing-around-it dept.

filenavigator writes, "This week the security firm Authentium found a workaround for Patch Guard, the security feature Microsoft has embedded into the 64-bit version of Windows. It is supposed to keep out unsigned drivers, kernel modifications, and security company competitors. With Authentium's workaround it can be turned off, software installed, and turned right back on. Microsoft immediately responded by saying their reckless ways are endangering the security of Windows users and that they will disable this hack quickly."

18 of 122 comments (clear)

  1. Reckless? by Izago909 · · Score: 4, Insightful

    What's more reckless... writing software with security holes and making its' selling point the high level of security it contains... or discovering an exploit that defies the marketing team?

    1. Re:Reckless? by Gregory+Cox · · Score: 3, Insightful

      Designing an exploit is not reckless - the only thing that can be reckless is using the exploit you've designed in the wrong way, or giving it to the wrong people.

      As a security company, Authentium ought to know how to handle exploits properly. Presumably if they had a trusting relationship with Microsoft, they'd let them know about it quietly. Instead, they announced it publicly, using it as a bargaining chip against Microsoft in case it reneges on its promise to provide adequate APIs for security vendors.

      Microsoft, on the other hand, didn't say "thanks for letting us know, so we can patch it - just make sure you disclose the information in the proper way". Instead they're quoted as asking Authentium to "abandon the tactic" - clearly they view the very existence of the exploit as an embarrassment, even as a threat, and don't expect Authentium to play friendly and just hand over the details.

      Ideally, the two companies should be working together against malicious software writers to secure users' computers. Seen from that point of view, isn't the whole situation a little weird?

      --
      If you all Google Slashdot, will it Slashdot Google?
  2. Let it be said again. by Lord+Kano · · Score: 4, Insightful

    Necessity is the mother of invention.

    If Microsoft hadn't been so assholeish about it, no one would have needed to circumvent their "protections".

    LK

    --
    "Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
    1. Re:Let it be said again. by daeg · · Score: 4, Insightful

      Norton has been using hacks in win32 from day 1, and I'm sure they'll use them again this time around. I just hope Microsoft closes them as quickly as Norton exploits them -- the same holes that Norton uses will be the same holes that viruses use.

    2. Re:Let it be said again. by Foolhardy · · Score: 4, Insightful

      This isn't a security hole. The fact that a process with admin privileges (yes, they're required for this) on the system can modify the kernel is something that can't be fixed by any means, on any OS (except via full TCPA). Microsoft knows that. Trying to protect the computer from malware/viruses that already have admin privileges is a joke. This is designed to make it such a pain for 3rd parties to continue modifying the kernel's internals (something that they shouldn't be doing in the first place) that they switch over to the public interfaces designed for the same purpose. Norton's crying that they have to clean up their code. Sophos already switched over.

  3. Spelling correction. by Majik+Sheff · · Score: 5, Funny

    You left the 'n' out of "defines".

    --
    Women are like electronics: you don't know how damaged they are until you try to turn them on.
    1. Re:Spelling correction. by Hamoohead · · Score: 4, Funny

      I thought "defiles" was was spelled with an "L"

      --
      "If your parents never had children, chances are you wonât either." -Dick Cavett
  4. Politeness by Steamhead · · Score: 4, Funny
    Microsoft immediately responded by saying their reckless ways are endangering the security of Windows users and that they will disable this hack quickly.

    Rather nice way to say "Thanks, we will fix this right away" eh?
  5. 'obvious' bug. by SillyNickName4me · · Score: 3, Interesting

    So, the way to achieve this is by changing contents in the pagefile by writing disk sectors directly.

    If such an obvious bypass has not been considered, how many other such issues exist that are yet undiscovered?

    Then, the supposed 'fix' is to disallow writing raw disk sectors for any non kernel code. This will only work when not allowing for things like disk editors and recovery tools, because those would need ways to bypass this and this just opens up new attack vectors.

  6. Remember what "security" means by Sloppy · · Score: 4, Insightful

    To users, security is about protecting the machine from external threats.

    To Microsoft, security is about protecting the machine from everyone, including the owner and admin.

    To users, security is about protecting the user's personal data and ability to use the machine.

    To Microsoft, security is about protecting someone's data (not necessarily the user's) from everyone (perhaps including the user).

    To the computer's owner, the machine is entirely their own domain, and exists for their own benefit to maximize their own interests.

    To Microsoft, the machine is partitioned and not all of it belongs to the owner, ultimately to maximize Microsoft's interests.

    To the computer's owner, their relationship to Microsoft is that the computer owner is the customer.

    To Microsoft, their relationship to the computer's owner, is that the owner is both a customer and a product.

    --
    As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
  7. Re:Banging head against cement.... by Angostura · · Score: 3, Insightful

    Well, I hate to be contrarian (actually I don't) but in this case Microsoft is attempting to address you point 1. in a reasonable way, by disallowing unsigned drivers. The fact that the protection can be broken is problematic. The fact that Microsoft is now looking to close the loophole is fine.

  8. Bit of a stretch by Psykosys · · Score: 3, Interesting
    It is supposed to keep out unsigned drivers, kernel modifications, and security company competitors.
    While it could be argued that part of Microsoft's goal with PatchGuard is to keep out "security company competitors", there's no hard evidence, AFAIK, that this was one of Microsoft's design goals in creating it and it's somewhat irresponsible to suggest this. If there were, this would presumably be an easy court case and security companies wouldn't have a hard time at all suing Microsoft for illegal measures to establish a monopoly, etc. Instead, they'll be faced with the uphill task of proving that the "keeping out the competition" aspect is not just a necessary side effect of the rest of the design.
  9. Nice Anti-Microsoft blurb - good job, editors by Animaether · · Score: 5, Informative

    "Patch Guard ... is supposed to keep out ... security company competitors"
    Uhm. Yes. According to -some- security company competitors whose entirely livelihood depends on Windows being as insecure as it is? Certainly not according to Microsoft itself.

    "Microsoft immediately responded"
    really?
    Microsoft doesn't respond anywhere in that article. In fact, page 2 (yes, it's one of THOSE articles) specifically reads:
    "Microsoft representatives didn't immediately respond to calls seeking comment on Authentium's move."

    So where -did- they respond?

    "by saying their reckless ..."
    and that whole article doesn't contain the word 'reckless' at all. So where did they say this, again?

    Mind you, the article itself is in error when on page 2 it states:
    "Next Page: Microsoft defends itself."

    And when you get to page 3, you get:
    - a symantec spokesperson
    - an industry watcher, possibly:
    - Andrew Jaquith of Yankee Group

    But absolutely no Microsoft. So where is Microsoft defending itself?

    Don't get me wrong, I think PatchGuard probably has more holes than a slice of Swiss cheese... but the submitter's text needs redacting, and the original article could do with an -actual- statement from Microsoft.

  10. MS PhotoEditor will outperform Adobe by 100x by 140Mandak262Jamuna · · Score: 4, Insightful
    OK, let us take the next logical step, all direct disk write by non-kernel mode process will be off. Applications like Pinnacle, Adobe Photo Editor, Maya and Gimp will suffer slow disk write times. MS PhotoEditor also would suffer similarly. Except, MS PhotoEditor coder, some nice chap who is just doing his job gets his ears chewed out and small chairs thrown at him. Goes into the source code tree finds the coder who is controlling the access to the direct diskwrite part in OS side. Bingo, in the next release MS PhotoEditor performs 100x faster than Adobe. Mindless editors of PCMag and others ooh and aaah about the "technological advances" made by innovative MS.

    Yeah, sure it is a far fetched conspirational theory. Mods, before you mod it troll or offtopic or wierd or paranoid, take a look at the comments in the code outed by MainSoft. Obsolete version of Windows NT code. But it had numerous comments like, "Private entry point for Jim to get Excel access memory faster". Private entry points, calls that take shortcuts through several application layers and protocols... that is how security holes are made. Such close nexus between application coders and OS coders is the reason why such api-layers are violated.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    1. Re:MS PhotoEditor will outperform Adobe by 100x by Foolhardy · · Score: 4, Informative

      What could you possibly be talking about? Direct disk access means bypassing the filesystem and reading and writing to the sectors directly. This requires administrator privileges for good reason: it bypasses file security, file locks and all the other nice things that filesystems do. No user application requires the ability to bypass the filesystem. Don't you need to be root to access a mounted block device on a UNIX? It's the same thing. The fact that it's possible to modify the kernel when you have admin privileges (and physical access for that matter) is hardly suprising, and in fact is unfixable (short of full TCPA).

      PatchGuard is only there to discourage apps that hook the syscall table (an inherantly unsafe operation) and make other modifications to the kernel's private, volaitle internal interfaces. When Windows NT was written, the MS devs never expected 3rd party devs to go poking around with the kernel's private interfaces, and are rightly disgusted when those 3rd party software programs cause problems because of it. Compare this to Linux: you are free to maintain your own custom build of the kernel, but in the mainline, all the kernel interfaces are so volaitle, every minor revision is binary incompatible with the rest. You'd never get a device driver accepted into the mainline if it depended on private interfaces that break every revision, even on a source level. Microsoft is well within their prerogative to make changes the Windows kernel's internal, private interfaces. This doesn't work too well when 3rd party apps are dependent on them never changing, especially when Windows crashes because of it. PatchGuard is a technical speed bump to make it harder for 3rd party software companies to screw with the kernel's internals. Microsoft knows that it's an unwinnable arms race, but hope that the 3rd parties will decide it's just easier to stick to the kernel's public interfaces. Microsoft is willing to create new stable public interfaces to support the necessary behavior.

      The only thing I can think of that you might be talking about for reduced performance is if you meant no intermediate buffering when you said "direct disk write". The FILE_FLAG_NO_BUFFERING and FILE_FLAG_WRITE_THROUGH buffering options are unrelated to direct disk access (which actually means bypassing the filesystem to access the block device directly). Write through and unbuffered IO aren't going anywhere.

      As for special hooks that MS applications get into the OS that no one else gets, how about an actual example?

  11. Re:Wayback Machine... by Tacvek · · Score: 3, Informative
    Are you sure you have no page files? Most operating systems will swap out memory. Windows defaults to having a page file. (At least 32-bit XP does.) (Mine uses a 1536MB-3072MB paging file). Linux has the swap partition.

    Sure, 64-bit means a memory cap so high it is very unlikely you will ever reach it, but what is the highest one machine is going to have? 8GB? 16GB? Even with that much memory, a paging file can sometimes increase performance. It may be because of architectural design faults. At one point Linux would run faster with a Swap-FS on a ramdisk than with no swap at all. (I'm completely unaware of when or if that has changed.)

    --
    Stylish sheet to fix many problems in Slashdot's D3: https://gist.github.com/801524
  12. thoughts on patchguard by Pr0xY · · Score: 4, Insightful

    sure it's not perfect, nothing is, but I find the effort of making patchguard a step in the right direction. Here's the thing, If it were possible to prevent anything but pre-approved code from running in kernel space, there would be basically no need for vendors to hook the kernel in the first place.

    Also, a lot of people are really talking it up about how Microsoft sucks and patchguard is just another flawed attempt at security by a company that doesn't know its ass from its elbow (or something to that nature)...but I haven't seen much if any effort by any of the other mainstream OSes to prevent kernel patching at all. It is downright trivial to write a Linux kernel module which hooks all sorts of critical data structures, same with FreeBSD and Solaris.

    Is it the argument of the anti-patchguard people that if it can't be done perfectly, lets not even bother?

    I guess the major driving point of my being a Microsoft apologist in this case is that, at least from an academic point of view, the kernel is supposed to be the only software which accesses these low level things and abstracts out interfaces for the rest of the software to utilize...the kernel shouldn't be exposing anything like direct disk access, or kernel space memory to user space....ever, under any circumstances. do that and things like rootkits are an awful lot harder to make in the first place.

    Some Linux distros are starting to get the point by limiting and sometimes eliminating entirely access to /dev/kmem which is a step in the right direction, but it's still not good enough.

    The way I see it, Microsoft may not be perfect, but at least they are trying.

    proxy

  13. Biased story submission, by Rip!ey · · Score: 3, Informative

    The slashdot summary says "Microsoft immediately responded by saying their reckless ways are endangering the security of Windows users and that they will disable this hack quickly."

    But the article reads differently. "Microsoft representatives didn't immediately respond to calls seeking comment on Authentium's move. O'Donnell said that Authentium has informed Microsoft of its work, and that the software company asked it to abandon the tactic and wait for its new APIs ..."