Microsoft Opening Up Vista Kernel To Security Vendors

Following conversations with the European Union, Microsoft will make two security-related changes to Vista. First, it will create a new set of APIs, which will let third-party security vendors access information from the kernel. Microsoft will also build additional APIs to make sure Vista's security status dashboard -- Windows Security Center -- doesn't send duplicate alerts to users who have installed a rival dashboard.

Both issues had been raised by long-time Microsoft partners Symantec and McAfee, which went public with their concerns last month.

"I think these are acceptable compromises," said John Pescatore, analyst for Gartner. "Being a security vendor is new to Microsoft. It's only very recently started to sell security products, and I think they just underestimated this issue. "But it took the EU to sort of say something before Microsoft did anything, so I think that shows Microsoft still has a long way to go before it really understands how it has to operate."

The promise to alter how security companies access the Vista kernel was the most significant of the two changes Microsoft announced Friday. Previously, Microsoft said it would integrate PatchGuard, a technology meant to stop malicious code and third-party software from making kernel level changes, into the 64-bit edition of Vista. Security vendors, however, objected, and claimed that by locking down the kernel, Microsoft was locking out their ability to monitor system calls, a technique used by behavioral host-based intrusion prevention system to sniff out suspect or malicious code.

id
unit-1659132512259
type
Sponsored post

"Microsoft is still saying the kernel remains unmodifiable," said Joe Wilcox, an analyst with JupiterResearch. "But the APIs will allow access to information going to the kernel.

"Microsoft's saying 'don't mess with the kernel, no one should have access,'" said Wilcox. "Microsoft was, and is, in a difficult situation. I'm sympathetic with the vendors' position. On the other hand, Microsoft has to protect the core of the operating system. But even this API thing makes me nervous. What happens if the bad guys start using it?

"Who is going to get access to this [kernel] information? Will it be to all or just some vendors? If it's just some, someone will cry holy hell over it."

Symantec on Friday had almost as many questions as Wilcox. "While we're encouraged by the announcement," said Chris Paden, a Symantec spokesman, "we have not seen the technical information we need to address our concerns about PatchGuard and the Windows Security Center. Vista is supposed to ship to manufacturing within weeks, so we need that information yesterday.

"If they're willing to commit to a deadline, that would alleviate some of our concerns," Paden added.

Microsoft won't roll out the APIs for PatchGuard in the first edition of Vista, said Wilcox, but will unveil them with the first Service Pack. Typically, Microsoft deploys an initial Service Pack 12 to 18 months after the release of an OS.

"The implementation will take some time," said Wilcox.

Gartner's Pescatore agreed, but cautioned Microsoft not to dally. "The clock is already ticking on 64-bit uptake," he said. "Users will migrate to 64-bit sooner than most people expect, so if Microsoft slips past the 12-18 month range for SP1, that could be a problem."Microsoft also bent to demands from security vendors and the EU's antitrust agency that it change its Vista plans for Windows Security Center, the operating system's security dashboard. It will not entirely disable the dashboard, as it allowed third-party vendors to do with the same-named feature in Windows XP, but will let security rivals program their wares to eliminate alerts from Security Center that duplicate ones issued by the vendor's own console.

Even so, Symantec remained skeptical. "Microsoft has the interface to turn off the Security Center," said Paden. "They've sat on it. Why haven't they provided that already? That makes us wonder do they, or do they not, have APIs for PatchGuard?"

Microsoft made the two moves, it said Friday, after the EU's Competition Commission -- which is lead by Dutchwoman Neelie Kroes -- "advised Microsoft that it should make additional changes in three remaining areas of the product," said a Microsoft spokesperson. "The company agreed to make each of these changes."

"We recognize that the European Commission does not give 'green lights' for new products, and we have not asked for one," said Brad Smith, Microsoft's general counsel, in a statement Friday. "We appreciate the constructive dialogue we have had with the commission and the guidance the commission has provided. Based on this guidance, we have made changes to ensure that we're in compliance with our competition law obligations.

"We are moving forward to make Windows Vista available on a worldwide basis."

In a competing statement released Friday from EU headquarters in Brussels, the government's antitrust agency noted the Vista changes announced by Microsoft and added: "The Commission will closely monitor the effects of Vista in the market and, in particular, examine any complaints concerning Vista on their own merits."

The changes seem to give Microsoft the go-ahead to release Vista on its previously-announced schedule -- November to volume license customers, January 2006 to retail -- in all markets, including Europe. At one point this fall, Microsoft threatened to delay Vista's release in the EU when Kroes said the operating system might be in violation of the 2004 antitrust ruling. Within days, however, it had retracted the warning.

"What this shows, I think, is that Microsoft wants to ship the operating system," said Wilcox. "On the one hand, Microsoft is even more of a target [of antitrust efforts], but it's also making a concerted effort to abide by different rules from the past.

"The old rules don't apply," he concluded. "Microsoft finally gets that."