Vista kernel limits have security vendors on edge

Of specific interest is Vista's PatchGuard feature that prevents any software other than Microsoft's from adding extensions to the Vista kernel, regardless of the intent. This is not only designed to prevent malware from hooking the kernel for nefarious purposes, but it should also stop third-party software from making legitimate extensions to the kernel.

Following the May debut of Microsoft's Windows Live OneCare antivirus, antispyware and security suite, the Redmond, Wash., software giant has executives at other antivirus and security companies on edge.

"I haven't gotten any answers from the Windows engineers as to whether this is a new policy or just something they're doing, but at a company like Microsoft something like this usually happens from the top down," David Thompson, CIO at Symantec, of Cupertino, Calif., said in a recent interview. "What this does is limit our ability to build products that are compatible with Vista. That's bad for customers."

But it's also potentially good for Microsoft. The company for years has relied on Symantec, McAfee Inc., Trend Micro Inc. and CA Inc. to deliver antivirus products for Windows machines, and most PC manufacturers preload one of these vendors' AV suites on new computers. But that model could quickly be going by the wayside, as Microsoft prepares to deliver Vista and works to entice consumers to switch to Windows Live OneCare.

More on Vista security Microsoft still unlocking its security identity Vista security skepticism swells Windows Vista doubles Group Policy's potential Enterprises overly optimistic about Vista security

"Since many programs, including security software, use the kernel in undocumented ways, they had a concern," said Ron O'Brien, senior security analyst at UK-based antivirus firm Sophos plc. "PatchGuard will serve as a deterrent for a period of time, but will be circumvented sooner or later."

Some executives in the security industry, including Symantec CEO John Thompson, have said that they don't fear Microsoft as a competitor. But CIO David Thompson said the company is very aware of the threat that Microsoft poses to its core AV business.

"We absolutely take them seriously. That's a very smart group of people," Thompson said. "But I have a lot of confidence in our team too. We have a very large and very loyal customer base."

PatchGuard has been available on Windows XP x64 Edition for some time, but its inclusion in Vista will be its first wide release. In a blog post this week discussing the kernel mode security in Windows, Oliver Friedrichs, director of emerging technologies at Symantec, expressed many concerns about PatchGuard and its implications.

"Another disturbing side effect of this technology is that while legitimate security vendors can no longer make extensions to the Vista kernel (any attempt to circumvent these security features may only work temporarily), researchers and attackers can, and have, already found ways to disable and work around PatchGuard," Friedrichs wrote. "These new technologies, along with Microsoft's unwillingness to make compromises in this area, have serious implications for the security industry as a whole."

A source at Microsoft, who asked not to be named, said the company has no agenda that would justify preventing other security vendors from making compatible products; it is simply trying to lock down the Vista kernel as tightly as possible.