Vista kernel limits have security vendors on edge

Microsoft's PatchGuard feature will prevent extension of Windows Vista kernel, and antivirus vendors say it'll make it harder for them to produce good security products.

Executives at Symantec Corp. and other security vendors say that some of the security technologies that Microsoft plans to introduce in Vista are making it harder for them to build products that protect customers.

Of specific interest is Vista's PatchGuard feature that prevents any software other than Microsoft's from adding extensions to the Vista kernel, regardless of the intent. This is not only designed to prevent malware from hooking the kernel for nefarious purposes, but it should also stop third-party software from making legitimate extensions to the kernel.

Following the May debut of Microsoft's Windows Live OneCare antivirus, antispyware and security suite, the Redmond, Wash., software giant has executives at other antivirus and security companies on edge.

"I haven't gotten any answers from the Windows engineers as to whether this is a new policy or just something they're doing, but at a company like Microsoft something like this usually happens from the top down," David Thompson, CIO at Symantec, of Cupertino, Calif., said in a recent interview. "What this does is limit our ability to build products that are compatible with Vista. That's bad for customers."

But it's also potentially good for Microsoft. The company for years has relied on Symantec, McAfee Inc., Trend Micro Inc. and CA Inc. to deliver antivirus products for Windows machines, and most PC manufacturers preload one of these vendors' AV suites on new computers. But that model could quickly be going by the wayside, as Microsoft prepares to deliver Vista and works to entice consumers to switch to Windows Live OneCare.

More on Vista security

Microsoft still unlocking its security identity

Vista security skepticism swells

Windows Vista doubles Group Policy's potential

Enterprises overly optimistic about Vista security

Other security vendors say they understand why Microsoft is doing what it's doing with PatchGuard and similar kernel-protection technologies, but say that the effects will likely be short-lived.

"Since many programs, including security software, use the kernel in undocumented ways, they had a concern," said Ron O'Brien, senior security analyst at UK-based antivirus firm Sophos plc. "PatchGuard will serve as a deterrent for a period of time, but will be circumvented sooner or later."

Some executives in the security industry, including Symantec CEO John Thompson, have said that they don't fear Microsoft as a competitor. But CIO David Thompson said the company is very aware of the threat that Microsoft poses to its core AV business.

"We absolutely take them seriously. That's a very smart group of people," Thompson said. "But I have a lot of confidence in our team too. We have a very large and very loyal customer base."

PatchGuard has been available on Windows XP x64 Edition for some time, but its inclusion in Vista will be its first wide release. In a blog post this week discussing the kernel mode security in Windows, Oliver Friedrichs, director of emerging technologies at Symantec, expressed many concerns about PatchGuard and its implications.

"Another disturbing side effect of this technology is that while legitimate security vendors can no longer make extensions to the Vista kernel (any attempt to circumvent these security features may only work temporarily), researchers and attackers can, and have, already found ways to disable and work around PatchGuard," Friedrichs wrote. "These new technologies, along with Microsoft's unwillingness to make compromises in this area, have serious implications for the security industry as a whole."

A source at Microsoft, who asked not to be named, said the company has no agenda that would justify preventing other security vendors from making compatible products; it is simply trying to lock down the Vista kernel as tightly as possible.

Read more on IT risk management