Security Blog Log: The never-ending PatchGuard debate

This Halloween, many bloggers are painting Microsoft as the boogeyman because of the PatchGuard feature it's putting in Windows Vista. But the screaming isn't all about whether the feature will allow third-party security products to work properly.

The debate over PatchGuard certainly isn't new. For months, Microsoft has tried to refute accusations from vendors like Symantec Corp. and McAfee Inc. that PatchGuard would lock out third-party security products.

Two weeks ago, Microsoft caved to pressure from security vendors and antitrust officials in Europe and promised to create additional APIs so rival vendors can access the operating system's core and, as a result, develop products that work more effectively with the operating system.

But some vendors have accused the software giant of making hollow promises. As proof, some have pointed to the fact that the company doesn't plan to provide an initial set of documented, supported kernel interfaces until the Windows Vista SP1 timeframe.

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what's got the information security community buzzing. In this column he lists the weekly highlights. If you'd like to comment on the column or bring new security blogs to his attention, contact him at [email protected]. Recent columns: IE 7 arrives, but does anyone care? Taking Google Code Search for a spin ZERT rekindles third-party patching debate

The passion this issue has generated can be seen all across the blogosphere this week. Much of the blogging from vendors is anti-PatchGuard, while a few people are giving Microsoft the benefit of the doubt.

Others, like U.K.-based tech expert and author Adrian W. Kingsley-Hughes, believe PatchGuard has little to do with security and everything to do with Microsoft's need to "lock up content on your PC" as it prepares to follow Apple Computer Inc.'s lead and be a player in the media industry. In his popular PC Doctor blog, he expressed surprise that nobody's talking about the digital rights management (DRM) aspect of PatchGuard, which, in his opinion, reflects a shift in Microsoft's business model.

Microsoft doesn't want to create content, he said, but it does want to have resale and distribution rights. PatchGuard will help Microsoft protect this new business model, he said in a column his blog entry links to.

Authentium claims to puncture PatchGuard
Whether Microsoft's true motive is security or DRM, Kingsley-Hughes and other bloggers took interest in the claims of Palm Beach Gardens, Fla.-based security vendor Authentium that it found a way to circumvent PatchGuard kernel protection.

According to published reports, Authentium claimed it has built a version of its ESP Enterprise Platform that can slither around PatchGuard without setting off the alarm that's supposed to wail if the Vista kernel is cracked.

"So much for PatchGuard being robust," Kingsley-Hughes said. "Hackers will tear it to pieces."

Authentium used its blog to criticize PatchGuard as a feature that will do little to bolster the operating system's defenses.

"PatchGuard is an interesting attempt at making Microsoft Vista more secure. As an industry we fully support all attempts at improving security," the company said. "The reality is that PatchGuard will at most only have a short-term effect on stopping the tide of rootkits and other technologies that it is trying to prevent. The current design of the Microsoft kernel implies that PatchGuard is going to be nothing more than the name suggests -- a patch."

Authentium said its big concern is that Microsoft "has suddenly decided to be the one-and-only expert on what security is without an idea of what the real problems are that they are trying to solve." Being in a monopolistic environment, the company said, "this can have catastrophic results for their (and our) customers."

Vendors go after each other
The furor also shows that security vendors aren't entirely united in opposition to Microsoft. While most vendors have accused Microsoft of trying to lock out their products, UK-based antivirus firm Sophos has essentially endorsed Microsoft's efforts and called the other vendors crybabies.

In a statement, the company said, "Sophos has reassured its customers that Sophos Anti-Virus will offer full protection against malware threats on Vista, and suggests that some security vendors may not have given sufficient thought to the new operating system when developing their products."

Alex Eckelberry, president of Clearwater, Fla.-based security vendor Sunbelt Software, called Sophos' statement a PR stunt in his company's blog.

"Sophos tapped into that angry mob user resentment in a brilliant PR move -- after having drunk the Microsoft KoolAid from a fire hydrant, they openly embraced PatchGuard," he said. "In one fell swoop, they positioning themselves as Microsoft-friendly, happy-dancing, API-loving people. At the same time, they positioned the rest of the industry as a bunch of moronic crybabies."

He then moved back to the familiar argument many security vendors have been making about PatchGuard.

"We cannot predict how malware authors will work in the future, and that is one reason why PatchGuard is such a potentially dangerous technology," he said. "PatchGuard creates a barrier to the kernel, against which security vendors (the major defensive bulwark for Microsoft) can't get in to help the operating system against an attack, at least without permission through APIs."

Microsoft on the defensive
All this chatter has forced Microsoft on the defensive at a time when it probably expected to be celebrating the security accomplishments of Vista and the recently-released Internet Explorer (IE) 7.

In his personal blog, Microsoft security manager Stephen Toulouse repeated the company's position that PatchGuard is a necessary part of Vista's security and that the arguments of security vendors are off base. He also denied that Microsoft was caving to pressure.

"I want to be crystal clear on this: We have not changed the implementation of or our commitment to kernel patch protection in Windows Vista for x64-bit systems," he said. "It's still there, it's not going to be turned off or have blanket exceptions granted for it."

He added that Microsoft is "totally committed" to working with security vendors and has been "working with them for years now to provide new documented and supported interfaces in 64-bit versions of Windows that will allow them to leverage the kernel."

To bolster his argument that Microsoft is on the right side of the issue, he linked to the blog of Joanna Rutkowska, a security researcher for Singapore-based IT security firm COSEINC, who caused a sensation at the Black Hat USA 2006 conference in Las Vegas last August with a demonstration on Blue Pill, a concept she said could be used to neutralize Vista's anti-malware sensors.

He pointed to what he described as Rutkowska's supportive commentary about PatchGuard, which he said reflects the prevailing opinion among security researchers -- that protecting the kernel from undocumented methods of hooking it is a good thing.

Rutkowska described PatchGuard as a radical but probably necessary way to keep software vendors from using undocumented hooking techniques in their products.

Toulouse also mentioned Rutkowska's commentary about the steps Microsoft is taking to prevent Blue Pill from cracking Vista's defenses. But he skipped the part where she criticized Microsoft's approach to Blue Pill as a bad idea.