Windows Vista Risks - “A Reality Check on PatchGuard”

Oct 13 2006

By Kurt Seifried (kurt@seifried.org)

A fitting entry for Friday the thirteenth. We start the day with the first of a series of articles on the various security risks that will be introduced by Microsoft Corp.’s flagship operating system Windows Vista that many people have not yet considered. So without further adieu let’s begin.
A blog entry was recently posted to the official Symantec Corp. security blog:

By Oliver Friedrichs (Symantec Corp.)
“I have to say that it is not surprising to see that Microsoft is countering the claims (that Symantec, McAfee, and others are making) that Windows Vista will hinder innovation, while putting consumers at risk. In fact, I think that it is to be expected. Some of the arguments that are being put forth in their favor are rather uninformed, exceptionally broad, and disingenuous. They have been presented in such a way as to position security vendors as though we have for decades preyed on the weak and stolen from the poor and with the emergence of Windows Vista, freedom from this tyranny is in sight. The reality is, we offer a real service—protection from real threats that will otherwise result in real losses—and this is by no means a protection racket. In any case, it’s not my intent to try and dissuade that part of the population that really thinks this; but, I will try to offer some insight to those who would consider themselves technologists.”

For commentary and a link to the article read on

The main assertion of the entire article seems to be that Microsoft’s new PatchGuard technology, which is designed to prevent modification of the system, kernel and other low level functionality, is not only flawed, but designed to keep security companies such as Symantec Corp. from building products for Windows Vista. Symantec Corp. does however admit:

One of the main points of contention with Microsoft involves one specific new technology, implemented in the 64-bit version of Windows Vista (and previously introduced in XP 64-bit, and Server 2003). The 64-bit version of Windows Vista introduces PatchGuard. PatchGuard prevents anyone (with the exception of Microsoft) from tampering with, extending, enhancing, and protecting the Windows Vista kernel. It does this by detecting when a driver, or other code running inside the kernel, attempts to add this extended functionality. It monitors key system structures, one in particular being the System Service Dispatch Table (SSDT). When it detects a modification to this table, it results in a blue screen of death (BSOD), with the belief that malicious code may have tampered with the kernel. It is important to note that there are both legitimate, as well as malicious reasons for an application to modify this table.

And later on:

Microsoft has legitimate reasons for protecting the Windows Vista kernel. Nobody can dispute that this is in everyone’s best interest. The main reason, besides security, is one of digital rights management (DRM). In order to provide a protected media path, the kernel must be protected from malicious applications that may steal video or audio content. Microsoft has to prevent anyone from writing a driver that will intercept protected content. As a result, they have implemented a significant portion of the Palladium NGSCB security model.

In short these admissions show the crux of the problem. Windows Vista needs to be “secure by default” against hacking tools such as rootkits and intentional user modification that would render Digital Rights Management inoperative. However in doing so the OS needs to be protected and hardened against potentially legitimate software that has traditionally made use of low level hooks and API’s in order to accomplish it’s mission (such as that of virus scanning). On the other hand security researchers have already claimed that PatchGuard can be bypassed and the Windows Vista Operating System subverted with rootkits.

Damned if you do, and damned if you don’t.

Additionally there is no real incentive for Microsoft Corp. to make a level playing field in the security space, they have been moving into this space with products such as Windows OneCare, Microsoft Defender and so on. They are also under no obligation to make their product interoperable with other software solutions (although some might argue that they are due to consideration of their monopoly status and the abuse thereof).

Then there is the fact that Russian Anti-Virus firm Kaspersky Lab has publicly defended Microsoft Vista, stating that “Microsoft’s new operating system Vista will not make it more difficult for anti-virus systems to work” however this should be taken with a grain of salt wince Kaspersky Lab is currently a candidate for an initial public offering (IPO).

In summary we have a real mess. Several major vendors are claiming that Windows Vista will not properly support third party security solutions that are currently accepted as best practices. We have a vendor that is potentially in the IPO process claiming that there is no problem. We have a historically monopolistic vendor moving into the security space, utilizing practices for which they are infamous (e.g. the DR-DOS debacle which involved Windows 3.1 detecting if it was running on DR-DOS and not MS-DOS, if DR-DOS was detected it would intentionally disable portions of the system so that it did not run properly).

Until this and several other issues are all sorted out I would suggest holding off on any Windows Vista deployments until existing and future security software can be tested and confirmed to properly work and protect Windows Vista against current threats. As well there are other issues that have not yet been made public or fully understood that will significantly impact the deployment, maintenance and configuration of enterprise networks in order to support Windows Vista. Stay tuned for me.

Click here for the blog posting: “A Reality Check on PatchGuard”

Kaspersky Defends Microsoft Over Windows Vista Security

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.