Microsoft Stands Firm On PatchGuard

"Vista is not completed yet, and we're sitting down with everyone," said Stephen Toulouse, senior product manager with Microsoft's security technology group. "We're still gathering feedback" about Vista's security, he added.

That might seem to leave open the door to changes in how Vista implements the security features that third-party vendors have questioned, including plans to bar access to the kernel in the 64-bit version of the upcoming OS as well as not allow competitors to turn off Vista's Security Center dashboard. Rivals Symantec and McAfee have gone public in the last month with criticisms of both features, and have charged that Microsoft's decisions will make Vista less secure, not safer.

Last month, Symantec took its complaints to Europe, where the European Union's antitrust agency has already warned Microsoft not to tread on security competitors' toes. Symantec's beef was with Security Center, which Microsoft has said it won't allow other developers to automatically turn off. By Symantec's reasoning, customers would be confused if they saw alerts or status indicators from more than one dashboard.

"Microsoft is fundamentally limiting customers' choice," said Rowan Trollope, Symantec's vice president of consumer engineering, in a Sept. 22 interview.

Sponsored post

This month, McAfee joined in, running a full-page ad in the U.K.-based Financial Times that took Microsoft to task over PatchGuard, technology meant to stop malicious code and third-party software from making changes at the kernel level. "They've leveraged their access [to the kernel] to give themselves an unfair advantage," said John Viega, McAfee's chief security architect, last week.

Microsoft's Toulouse saw it differently Thursday. "Security Center is vendor agnostic, but talks [about it] are still ongoing." When asked if Microsoft had decided to bar vendors like Symantec and McAfee from disabling the dashboard, he answered "I'm not aware of any decision [on that]."

He was blunt about PatchGuard, however. "We are not going to allow access to the kernel," he said. "Instead, what we're saying [to security vendors], to the extent that you were hooking into the kernel, why were you doing it? And how can we help you provide [that functionality] in a safe way?"

Symantec, McAfee, and others have accessed the kernel in 32-bit versions of Windows XP to monitor possibly malicious calls by suspect code. The technique has been especially useful as security products add behavioral host-based intrusion prevention features.

Toulouse said that has to stop. "PatchGuard is designed to prevent unauthorized and unsupported access to the kernel. We never intended Windows, even XP, to run against a modified kernel. There are all kinds of stability and performance issues, including blue screens."

Companies like Symantec and McAfee were using unsupported and undocumented APIs, said Toulouse, that Microsoft certainly did not encourage, even if it didn't ban the practice. Although they can continue to do so in the 32-bit version of Vista -- "There are issues entirely separate from security here," said Toulouse, "including backward compatibility" -- they won't be able to in the 64-bit edition.

Both Symantec and McAfee have argued that legitimate security developers should be granted exceptions to PatchGuard, perhaps using some sort of signing process.

Toulouse said Microsoft was adamantly against that. "We will not grant exceptions. It would raise too many problems." Among them: attackers could simply bundle enough snippets of a legitimate security product's code with their own payload to get it through the signing defense.

Gartner's resident security analyst, John Pescatore, disagrees with Microsoft's decision to block kernel access to everyone. "Operating systems must be made more secure and all OSes should evolve mechanisms to protect the kernel," said Pescatore in a research note published this week. "However, since Microsoft is a company that, on more than one occasion, has been legally found to have committed antitrust violations with its desktop OS, it has an obligation to ensure it doesn't disadvantage competitors, especially in security, where Microsoft now competes.

"Microsoft should have aggressively included independent software vendors (ISVs) early in the development of PatchGuard, and that it should have developed mutually acceptable mechanisms for legitimate, trusted security software to use kernel hooks," he added. Such a move now, of course, would mean a significant reworking of 64-bit Vista, and possibly a long delay in its release. On the Security Center brouhaha, however, Pescatore sided with Microsoft. "The issues around Windows Security Center are overblown," he said.

"Vendors don't have to do this only in the kernel," countered Toulouse. "That's what we're saying to them. There are vendors who are actually supportive of PatchGuard and locking the core of the OS," he said, citing European security companies Kaspersky Lab and Sophos as examples.

"And this isn't new. PatchGuard is in 64-bit Windows XP. So regardless, [security developers] should have been thinking about how to work without accessing the kernel."

Microsoft has also posted a white paper outlining its rationale for securing the Vista kernel; it can be downloaded from here as a Microsoft Word file.