Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Windows' Patchguard Hinders Security Vendors

Posted by CowboyNeal on Fri Aug 11, 2006 12:41 PM
from the only-game-in-town dept.
Operating Systems Software Windows Security
eldavojohn writes "Windows' PatchGuard seems to be upsetting third party security vendors such as Symantec, Sana Security and Agnitum. It sounds like the 'black hats' will be able to bypass this security feature (which will be in all copies of Vista) but force security software companies to give up developing software for Windows. From the article: 'PatchGuard will make it harder for third parties, particularly host intrusion-prevention software, to function in Vista,' said Yankee Group analyst Andrew Jaquith. 'Third parties have two choices: continue to petition Microsoft to create an approved kernel-hooking interface so products like theirs can work, or use "black hat" techniques to bypass the restrictions.' Apparently, using these techniques is not a difficult trick."
+ -
story

Related Stories

[+] Security Companies Tussle With MS Security Center 225 comments
hey0you0guy writes, "The large security firms such as Symantec and McAfee want Microsoft to allow them to replace Microsoft's Windows Security Center. Microsoft is refusing these requests. 'By imposing the Windows Security Center on all Windows users, Microsoft is defining a template through which everybody looks at security,' Bruce McCorkendale, a chief engineer at Symantec, said in an interview. 'How do we trust that Microsoft knows what all the important things about security are to warn users about?' Given Microsoft's past, with vast piles of security flaws and patches, they should at least cooperate with these companies. A dispute still exists over PatchGuard, a security feature that Microsoft says is designed to guard core parts of the 64-bit version of Vista, but which critics say locks out helpful software from security rivals."
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Windows' Patchguard Hinders Security Vendors 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Oh noes! (Score:5, Insightful)

    by Aladrin (926209) on Friday August 11 2006, @12:46PM (#15890257)
    "Oh noes, windows has security! What'll we do?"

    C'mon, get a grip. Despite the fact that this is a dupe, it still angers me that the 'major' pc protection companies can't deal with windows actually securing itself. They would actually consider using blackhat techniques instead of the provided methods? They'd be fools, too. Any blackhat technique they use would be immediately patched by Microsoft. Doesn't take a genius to see that.

    • Any blackhat technique they use would be immediately patched by Microsoft.

      Yes, they could patch. Or (and it's probably obvious, but IANAL) if they want to be "legally" anti-competitive, they could always claim that third-party vendors are violating the DMCA by using said techniques...

    • Re:Oh noes! (Score:4, Interesting)

      by timeOday (582209) on Friday August 11 2006, @01:01PM (#15890364)
      I agree, this sort of system software IS going to break with each security rev of Windows. It only stands to reason that breaking viruses, which is what MS wants to do, is likely to break anti-virus software as well.

      • Re:Oh noes! (Score:5, Insightful)

        by phasm42 (588479) on Friday August 11 2006, @01:41PM (#15890613)
        To add to your point, customers won't care when their viruses/malware break, but they will care when the security software they paid for breaks. It could also discourage people from applying updates, out of fear it will break their security software.

    • Re:Oh noes! (Score:5, Insightful)

      by gstoddart (321705) on Friday August 11 2006, @01:06PM (#15890390) Homepage
      C'mon, get a grip. Despite the fact that this is a dupe, it still angers me that the 'major' pc protection companies can't deal with windows actually securing itself. They would actually consider using blackhat techniques instead of the provided methods?

      Well, history tells us that the likelihood of Windows actually securing itsself is pretty slim.

      If they could use black hat techniques, then it wouldn't be secure now, would it?

      Having said that, it's a catch-22. If Windows implements an approved kernel hook for the antivirus companies, it will get exploited. If they don't, then no antivirus software, but just as many virus writers.

      Wether or not Microsoft is going to help 3rd parties sell software to secure Windows, there will be people doing the same things they do now. Except in that case, the consumer is on their own and waiting for Microsoft to stop them from getting pwn3d.

      Cheers
      • Viruses and you. In this case we're talking about locally executed binaries that are being run with root(admin) privileges.

        I just felt it had to be said but : Since when can you not totally mess up a Linux system when you're running software as root?

        I don't see local software running as root and therefore having root permissions as "a security hole". The only security holes I worry about is elevated permissions and unauthorized installs such as the 0-day IE exploit and buffer overruns.

        While I'm glad MS is s

        • Re:Oh noes! (Score:4, Interesting)

          by gstoddart (321705) on Friday August 11 2006, @02:49PM (#15891063) Homepage
          Viruses and you. In this case we're talking about locally executed binaries that are being run with root(admin) privileges.

          I just felt it had to be said but : Since when can you not totally mess up a Linux system when you're running software as root?

          Absolutely you can. But, if I choose to install software, I can decide that I trust it, and want it running as root. But the rest of the time, I'm logged in as a user who doesn't have root priveleges, and can't bork anything but my own stuff. If the user wishes to install kernel-level software, they're allowed. I've ran apache as both userland and root, except for which ports it can bind to, apache doesn't care.

          That being said, the problem with windows (asides those I've mentioned which are valid security holes), lies not in the admin account being insecure but rather the fact that everyone and their uncle is an admin the entire time they're running.

          That has always been the problem. You simply can't do anything on windows without being the admin, because so much crap just expects to have it, and fails if it doesn't. And then every damned website you visit which has an exploit is the administrator. Whee!! How fun!

          Back in the day, if I wanted some software on a UNIX machine, and the cranky UNIX admin said "leave me the fsck alone", I could still untar it into my own directory, set my path variable (give or take one or two more) and just run it. The software ran just fine in userland, and was isolated from the OS. It could hose my files, but not the system.

          Same deal on a Mac, the folder which was the install was the whole app. You could move it or delete it -- deleting was uninstalling basically. On Windows, every bloody piece of software expects to be able to write to the registy, install itsself for every user, demands that it write to Program Files, and possibly muck with some stuff in the Windows folders. Because that's how you're expected to do these things.

          The fact that you can't do anything in Windows without being the admin has always been a major source of problems. If they had a model whereby users could install software into their own "user programs" or somesuch, and that was separated from the rest of the damned OS, these things couldn't happen.

          However, as long as MS sticks with the way they have envisioned the world, preventing people from having kernel hooks (unless you use black hat methods) is kind of an empty solution, because it doesn't address the bigger problem of needing to be the Administrator to accomplish anything on a Windows machine.

          Cheers
          • This I tend to agree with but I don't view it so much as a "security software shortcoming" as a "convenience against security tradeoff" in their business model. I classify it as a separate thing because that isn't a "hole", its very much "by design" in order to cater to people who know jack all about computers.

            And its not a matter of being insecure at the software level, its a matter of bad practices implemented to make things convenient for "low knowledge users" in home environments.

            While I get what you're

            • This I tend to agree with but I don't view it so much as a "security software shortcoming" as a "convenience against security tradeoff" in their business model. I classify it as a separate thing because that isn't a "hole", its very much "by design" in order to cater to people who know jack all about computers.

              First off, I agree with everything you said in both posts.

              It just has the effect that the system is highly insecure because of the design, which is no better.

              If every UNIX engineer wrote software the

          • Re:Oh noes! (Score:5, Interesting)

            by myowntrueself (607117) on Friday August 11 2006, @05:29PM (#15892065)
            The fact that you can't do anything in Windows without being the admin has always been a major source of problems.

            I agree, but theres no *point* in doing anything in Windows without being admin.

            There is no point in running Windows as a non-priviledged user.

            If you doubt my word, log into your favorite Windows as your unpriviledged user and set up a scheduled task to run cmd.exe

            When the scheduled task runs and you get a command window try and see what you *cannot* do on the system...

            (I used to put a great deal of effort into running as an unpriviledged user; I spent hours trying to get games to run without having to be Admin. It seems that I totally wasted my time. Thanks, Bill.)

    • Re:Oh noes! (Score:5, Interesting)

      by Jimmy King (828214) on Friday August 11 2006, @01:11PM (#15890415) Homepage Journal
      "Oh noes, windows has security! What'll we do?"

      C'mon, get a grip. Despite the fact that this is a dupe, it still angers me that the 'major' pc protection companies can't deal with windows actually securing itself. They would actually consider using blackhat techniques instead of the provided methods? They'd be fools, too. Any blackhat technique they use would be immediately patched by Microsoft. Doesn't take a genius to see that.
      Part of the commplaint, though, is not just that they cannot provide proper security software for it but that MS' solution isn't actually providing any security. What they are saying is that this "security" feature makes it pretty much impossible to properly/legitimately do their job, but doesn't actually stop a good many of the techniques that hackers use.

      Whether MS' technique works or not, it's bad for us as it limits our choices.

      Of course I'm sure neither of these is a concern to symantec, only that they'll make less money, but they are still valid arugments to consider.

      • Re:Oh noes! (Score:5, Interesting)

        by Fordiman (689627) <{fordiman} {at} {gmail.com}> on Friday August 11 2006, @01:29PM (#15890533) Homepage Journal
        Does anyone else smell a new monopoly suit?

        Microsoft moves into system security (with their firewall, spyware tool, and I think they recently bought an AV company), and then sets up a 'security' feature that just happens to block out their competitors?

        Yeah... that smells pungent to me.

      • Re:Oh noes! (Score:5, Insightful)

        by Nigel_Powers (880000) on Friday August 11 2006, @01:30PM (#15890543)
        Don't kid yourself...this is NOT a case of Windows securing itself -- this is revenue protectionism at its best. Microsoft is actively trying to make third-party security vendors a thing of the past.

        In all of this, Microsoft forgets the most important thing -- It's my freakin computer! If Microsoft hinders me from getting done what I (remember me? I'm the consumer) want, then I have to reconsider my OS decision -- which I did -- about 5 years ago -- and never looked back.
    • "Any blackhat technique they use would be immediately patched by Microsoft"

      Immediately? I think you're being a bit generous.

    • ... pc protection companies can't deal with windows actually securing itself.

      I heard this too going from Windows 98 to XP. Still waiting. Vista will be no different.

      They would actually consider using blackhat techniques instead of the provided methods? They'd be fools, too.

      Isn't this exactly what AV and firewalls already do? There is no open easy M$ official way to do any of these security functions is there? Wrapping a DLL here, swapping out a registry entry there isn't much different than a root

      • M$ is finally doing what UNIX/Linux/BSD has enjoyed for many years, user processes should not be able to modify OS stuff!

        [cough] insmode [/cough]

        (user as in ring 3, not user as in user vs. root)

      • M$ is finally doing what UNIX/Linux/BSD has enjoyed for many years, user processes should not be able to modify OS stuff! Hurray, M$ finally gets the idea!

        So here's the problem, certain things do need to modify "OS Stuff." What if I want to run a hypervisor, or to kernel level process monitoring? On Linux you install a new kernel module or recompile a custom kernel. On Windows, there is no official way to do this, so companies that traditionally have relied upon this must move to unofficial mechanisms. C

  • does this mean... (Score:5, Funny)

    by krell (896769) on Friday August 11 2006, @12:47PM (#15890262) Journal
    Does this mean there will be a new day of the week devoted to patching the patchguard?

  • Should be an optional feature. (Score:5, Insightful)

    by DNX Blandy (666359) on Friday August 11 2006, @12:48PM (#15890276) Homepage
    "Window's PatchGuard" should be an optional feature. If you dont' want to use it, (like me!), you should be able to NOT include it when installing etc. Being able to do what you want is the best way, forcing users only pisses them off.

  • Why does this sound familiar? (Score:5, Insightful)

    by plasmacutter (901737) on Friday August 11 2006, @12:49PM (#15890282) Journal
    I remember something about the entire kernel becomming a "protected process" under an MS implementation of TCPA/TCG/Palladium/(insert name of the week meant to spoof drm watchers here).

    This was meant to be an "effective" means to stop viruses, but it served more to force licensing fees out of companies which provide security solutions and to stop independent tinkerers (also known as "good" hackers) from providing cool kernel mods for power users.


  • What? Did you run out of kayak stories ??? What sort of place is this anyway ?

  • Microsoft want you to pay them a monthly fee to get the Microsoft anti-malware stuff. Every obstacle they can toss in the way of cheaper alternatives is (for them) a good thing.

    The rule is: If you are in the business of doing X - then Microsoft announce that they are getting into doing X - then you'd better find a way to do Y instead. In the absence of government intervention, an illegal monopoly can do pretty much whatever they heck they like.

  • Debugger Disables (Score:5, Interesting)

    by mugnyte (203225) on Friday August 11 2006, @01:05PM (#15890380) Homepage Journal
    It is fascinating that TFA explains how if a boot routine can initialize a "debugger attached" flag, the PatchGuard system is not initialized. From this aspect alone, I'd say MS should start playing more nicely with the vendors, since any malicious code worth it's salt should set this value permanently and then replace kernal routines on disk as necessary.

    Also, given the fact that MS intends to making patching the standard for releasing a secure OS, the vendors can't really do this kernal checking themselves. Thus, I think it's safe to say from the perspective of this article, the OS's kernel is patchable by anyone.

  • Um, how is this security if its easily bypassed? Isn't the point behind any security layer to make it so nobody can bypass it? Seems to me that if its that easy to circumvent, Microsoft is just spinning its wheels, and there will be plenty of market for companies like Symantec/McAffee to compete in. Its not like the virus/trojan/malware writers give a single shit about any layer of security that they can bypass. Easily.

    Symantec should be glad that Vista will have this ineffective security layer, so they
  • A few years ago in office 2000 Microsoft dictated what attachments you could receive and what you could not. It sounds like Microsoft is attempting to create a business model of "If you want security you get it from us." and "We know better, you do it our way." Does the phrase duck and cover mean anything to anybody?
  • Third parties have two choices: continue to petition Microsoft to create an approved kernel-hooking interface so products like theirs can work, or use "black hat" techniques to bypass the restrictions.
    "We had to hack the system in order to protect it"?

  • Dance puppets dance (Score:3, Funny)

    by buffoverflow (623685) on Friday August 11 2006, @01:13PM (#15890428)
    1) Company creates horribly insecure OS.
    2) New multi-billion $$ industry sprouts for the sole purpose of securing said OS.
    3) Insecure OS company institutes blatantly obvious absolutely worthless security "features".
    4) No longer new multi-billion $$ industry complains because new BS security measures are worthless & the new features steal their pennies.
    4.5) Linux zealot chimes in on how these issues are not issues under their chosen OS.
    5) Horribly insecure OS company forms new multi-billion $$ industry to secure their horribly insecure OS in a proprietary fashion.
    6) Balmer covers the $1 he owes Gates for the bet they made on whether or not they can steal the billions from the industry that wouldn't exist had it not been for them & their lax attitude toward secure coding practices while blaming the whole fiasco on Google & Linux all the while creating a brand spanking new completely worthless multi-billion $$ proprietary industry. (Thank you Mortimer, er I mean Balmer)
  • The only Windows box in our house is my wife's laptop, and we'll be keeping XP on that until XP is no longer supported. By the time that happens, I think it's likely she'll be using a Mac - so if we need Windows for anything (which would be her sewing machine software) we can run it without internet access.
  • Apparently, using these techniques is not a difficult trick.

    The linked webpage contains a bunch of "techniques" which are mostly

    "If we find a bug in this system call, PatchGuard will be worthless!"

    along with a few

    "This disables PatchGuard in the current beta build of Vista!"
  • This doesn't surprise me in the least. PatchGuard is obviously designed to eliminate third-party competition, not stop hackers.
  • If Microsoft intends to have its own anti-virus software/mechanism they must feel they're capable of doing this without the kernel hooks requested by Norton and ilk. The only thing I would take issue with is if Microsoft uses an undocumented API in order to get an unfair advantage over the third party vendors. When that happens, wake me up and I'll get back up on my anti-Microsoft $oapbox. Until then... bleh.
  • I think it's universally agreed that the biggest flaw in windows is security. To this extent, we've seen many a revision of windows that has altered the way windows works with certain tweeks, to try and make windows more secure.

    Many people knock windows for being insecure, but it's not like Microsoft WANTS it to be that way. No, the people who want it to be that way are the "security" companies. Anti-virus companies have profitted from security flaws and viruses alike for many years now, and it has begu

    • I think you've hit it pretty well, but there's one thing worth mentioning.

      The Windows security problems are Microsoft's own fault, and at a FAR more fundamental level than merely flawed implementation.

      The problems began because Windows began as a GUI shell on top of a single-user program loader. There's an old adage, "Those who don't understand Unix are doomed to reinvent it - poorly." Multi-user wasn't in there at the beginning, and retrofits were awkward. I realize that the NT kernel is a true multiuser k

  • The whole "patchguard" concept is bogus (Score:4, Interesting)

    by Animats (122034) on Friday August 11 2006, @02:06PM (#15890778) Homepage

    The whole "PatchGuard" concept shows how broken Microsoft's approach to an OS has become. The whole concept is to catch changes made by programs which already have full access to kernel space. By checking every five or ten minutes for a change, no less. That's inherently a futile exercise. It may break some current exploits, but it won't break new ones. Any program that has access to kernel space can take over the machine. It could load a whole new OS if it wanted to.

    The whole concept of add-on programs having access to kernel memory is so insecure that it has to go. UNIX and Linux limit it to loadable drivers, and the serious microkernels like QNX and IBM's VM don't allow it at all. But the Microsoft world, mostly for historical reasons, has all sorts of crap running with access to kernel memory, from various "security programs" to game DRM components. All that crap should have been taken out in Vista. The fact that it wasn't indicates how minor a change at the kernel level Vista is over XP.

    • Re:Why would microsoft bother? (Score:4, Funny)

      by AugustZephyr (989775) on Friday August 11 2006, @12:49PM (#15890284)
      Apparently microsoft thinks that its security measures are good enough that you dont need antivirus to protect you.

    • Re:Why would microsoft bother? (Score:5, Interesting)

      by jd (1658) <imipak@@@yahoo...com> on Friday August 11 2006, @01:16PM (#15890448) Homepage Journal
      The obvious answer would be for Microsoft to define a well-known API for security software, where the entry-point for that set of functions is damn-near impervious. (A simple example - require that all software using such an API be digitally signed by a trusted vendor and counter-signed by the registered owner of the software. In a corporate setting, this would mean that patches would need to be signed off on by the IT department. In the home setting, users would have to specifically state that they approve that level of access for the software.)


      Certificates of trust already exist in Windows. They're used by web browsers. It would be trivial to use the code that is already present to check for a valid certificate. The second layer of protection - requiring the user/IT department to countersign the patch - would make transparent breakins much harder. Not impossible, but definitely much harder.


      Of course, this is all pointless these days, anyway. All a rootkit writer has to do is develop a mini hypervisor or hijack one already in use. For zombies, viruses, etc, you'd then have the externally-visible interfaces in the OS and everything else concealed outside. BIOS viruses could also be quite lethal, as they too would bypass this protection. Far too low a level for the OS to detect. These days, with graphics processors essentially being parallel CPUs, I'm surprised nobody has put a virus on the graphics card. If the PCI is multi-mastered (not uncommon on higher-end machines), then the card could control all the other devices without going through the OS at all, giving a virus that could inhabit that space ABSOLUTE power over the machine.

    • Users of 32 bit windows expect backwards compatibility. Redesigning the driver interface to plug all of the security holes would break this compatibility.

      However, 64 bit windows is incompatible with 32 bit kernel mode drivers (the speed penalty would be too great). Users and vendors know that at least recompilation will be necessary, and this gives Microsoft an excuse to redesign the relevant APIs.

      IIRC, linux driver developers know that binary compatibility is, at best, a nice bonus. This understanding allo
    • That would be a bit unfair that MacOS, Linux could improve their security freely but Microsoft would have to provide easy to abuse holes in Windows just because a side economy happen to make money from them.

      And what will they do when Windows looses market share ( and it will because it will be in the position of being the only door maker that cannot put lock on its doors because of the bouncer union ) Request Linux providers and Apple to provide their OS configured with root as default ?

      • And what will they do when Windows looses market share ( and it will because it will be in the position of being the only door maker that cannot put lock on its doors because of the bouncer union )


        If I want to replace the default door locks on my door with Medeco locks, I should be able to.

        (and as far as analogies go, "Operating systems are doors" is about as stupid as "The Internet is made of tubes")
    • "-Make programs have an .EXE extension to execute! No more .SCRs, for example. They're getting worse rather than better about this; I downloaded the AOL antivirus to try it out (OT rant about it follows) and the download had a .MSI extension. It confused me for a minute; is this like .ISO when it's really not an ISO but you have to rename it to get through the firewall? No, it just ran, and installed AOL's software."

      Every GUI OS understands the concept of file -> application mappings. Most use file exte
    • The problem is that viruses and rootkits can hook into the kernel too. If detectors are really to have a reasonable chance of detecting these sorts of malware, they need to play on equal footing, i.e. hook into the kernel too.

      Without that ability, a well-written piece malware can hook into the routines that the anti-virus program uses and filter results or otherwise disable its detection mechanisms. Even if the anti-virus tries to hook the kernel, and is loaded after the malware, it's starting from a severe
      • Are you talking about XWindows
        Technically, it's "XWindow", singular. As in "The X Window System". But they've been struggling with trying to make people get it right for decades now.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.