Symantec Spurns Microsoft's Vista Security Proposal
"It's not enough at all," said Rowan Trollope, Symantec's vice president of consumer engineering, and the man in charge of the security company's Norton AntiVirus and Norton Internet Security products. "It leaves customers exposed to threats."
Trollope's rebuff is the latest in the increasingly antagonistic brawl between Microsoft and Symantec, which remains a partner of the Redmond, Wash.-based operating system giant. Since September, Symantec has publicly criticized Microsoft's PatchGuard, a technology it will deploy in the 64-bit version of Windows Vista that locks out all access to the kernel. PatchGuard is meant to stop both malicious code and third-party software from making changes at the kernel level, and has been touted by Microsoft as a defense against rootkits and other malware.
Symantec and McAfee have argued that PatchGuard will make 64-bit Vista less safe than the 32-bit version, less safe, too, than Windows XP. "Threats evolved," said Trollope, "and we were forced to access the [32-bit] kernel to come up with advanced security technologies. There's no reason to think that that trend won't continue in 64-bit."
One way that current security software uses the Windows kernel -- by "hooking" into it, or patching the kernel code -- is to ensure that a Trojan, for example, can't disable defenses. "In 32-bit, if you get a Trojan and you don't know it, we make sure that the protection's not disabled. The malware's attempt to turn us off fails. Then, in a few hours, when we update signatures, we can detect and delete it." Without that defensive tactic, which relies on accessing the kernel, the Trojan would invisibly turn off the PC's security software so that it was completely defenseless.
Friday, Microsoft announced that while it would not budge from its position to bar any direct access to the kernel, it would create APIs (Application Programming Interface) that would give a select group of security vendors what they needed to replicate the current 32-bit techniques. Then, Microsoft said that it made the change at the request of the European Union's antitrust agency, the Competition Commission. The agency, led by Dutchwoman Neelie Kroes, has had Vista under its microscope since early in 2006.
"Based on [the commission's] guidance, we have made changes to ensure that we're in compliance with our competition law obligations," said Brad Smith, Microsoft's general counsel on Friday.
That same day, Stephen Toulouse, senior product manager with Microsoft's security technology group, was more specific about what Microsoft would provide in the way of kernel access. "[We will] provide new documented and supported interfaces in 64-bit versions of Windows that will allow them to leverage the kernel on x64bit systemsenabling a comparable level of functionality to what they have today on x32bit systems without direct access to the kernel," wrote Toulouse in a blog entry.
"Even if they provide a mechanism, how or when will they?" asked Trollope.
Microsoft's Toulouse left the "when" wide open. "It's a complex and large amount of work and will be delivered over multiple upcoming Windows releases as we understand the exact requirements and design the changes," he said, and then cited Service Pack 1 (SP1), SP2, and even "future versions of Windows."
That means Vista users could be at risk to advanced attacks for years, countered Trollope.
"The more fundamental issue is that they're saying that the only way through to the kernel will be their supported APIs. So when Vista 64-bit releases, users have no chance to completely secure their systems. Our advanced technologies won't run." Trollope claimed that his research team had identified 25 samples of recent malware, including Trojans and backdoors, that would be able to attack 64-bit Vista. Trollope also accused Microsoft of brushing off vendors who want to access the kernel because Microsoft doesn't have the advanced capabilities that require kernel hooking in their own security software, like Windows Live OneCare.
"Absolutely, this is connected to that. It's no coincidence that they're not concerned about kernel access because they don't offer these advanced technologies. Now that they're in anti-virus, it's even more convenient for them to not offer [kernel access]. The net effect is that they're eliminating differentiators that separate us and others from Microsoft's security [products]."
While Microsoft has argued that it would be impossible to give some -- known security vendors, say -- access to the kernel without risking attackers following -- Trollope rejects the idea. "Keep PatchGuard, certainly, but give secure access to well-known security suppliers. We have a secure alternative [to APIs]," he said.
And if Microsoft doesn't give way on kernel access? What would Symantec's next step be?
"All options are on the table," said Trollope.