Security Vendor Bypasses Microsofts Vista PatchGuard

By Matt Hines  |  Posted 2006-10-24

Security Vendor Bypasses Microsofts Vista PatchGuard

Security software maker Authentium says that it has created a new version of its flagship product that circumvents the PatchGuard kernel protection technology being added to Microsofts next-generation Vista operating system.

The company, based in Palm Beach Gardens, Fla., maintains that it has built a version of its Authentium ESP Enterprise Platform that can bypass PatchGuard without setting off the desktop alarms produced by the security feature when the Vista kernel is compromised.

ESP Enterprise, an SDK (software development kit) sold by Authentium to telecommunications carriers and so-called managed services providers, offers virus protection, anti-spyware, data recovery, firewall and transaction security capabilities.

PatchGuard, part of the KPP (Kernel Patch Protection) system being included in the 64-bit version of Vista to help protect the OS against rootkits and other advanced forms of malware, has become the center of a storm of controversy between Microsoft and major security software makers.

Some companies, including market leaders Symantec and McAfee, have complained that the feature makes it impossible for some of their cutting-edge technologies to interoperate with Vista.

At its core, PatchGuard is meant to block any application from accessing, or "hooking" Vistas kernel commands, a technique utilized by vendors in sophisticated anti-tampering and behavior monitoring tools, and used by hackers in attacking computer systems with rootkits.

Unlike Symantec, McAfee and others who have demanded that Microsoft allow them to access the kernel, and who claim that the Redmond, Wash.-based software giant is blocking them from doing so to advance its own interests in the security software arena, Authentium officials said they have merely circumvented the feature.

Microsoft recently agreed to provide all of its security partners with new APIs, allowing them greater ability to interact with PatchGuard, which will ship with only 64-bit versions of Vista when the OS arrives in November.

However, Authentium said that while it is waiting to see the level of kernel access those APIs allow, which has become another topic of continued debate between Microsoft and the security industry, it decided to take matters into its own hands.

Click here to read more about Authentiums software security development tools.

When a program of any kind attempts to modify the kernel on a system running PatchGuard, which is already available in 64-bit versions of Microsofts Windows XP OS, the computer produces a blue screen and stops all other Windows applications from running.

Authentium said its workaround allows it to access the kernel without incurring the shut-down.

The company specifically said that it is using an element of the kernel meant to help the OS support older hardware to bypass the feature. The loophole allows the companys tools to infiltrate Vistas kernel hooking driver, and get out, without the OS knowing the difference.

Next Page: White hat hackers.

White Hat Hackers

Hackers will quickly find similar ways to defeat PatchGuard once it arrives, said Corey ODonnell, vice president of marketing at Authentium, and thats why his company isnt waiting to see what Microsofts APIs will allow for, he said.

"Good and bad guys have the same job, to identify holes in whatever software is delivered and beat it," ODonnell said.

"We will be the white hat hackers, and the first thing we looked at was how PatchGuard would be broken; we side with McAfee and Symantec on the marketing side, in terms of what Microsoft is doing in pushing its own security tools, but from a technical standpoint we dont see PatchGuard as anything more than another hurdle to clear."

Microsoft representatives didnt immediately respond to calls seeking comment on Authentiums move.

ODonnell said that Authentium has informed Microsoft of its work, and that the software company asked it to abandon the tactic and wait for its new APIs, but he indicated that his company has no plans to do so.

While Authentium is optimistic about working with Microsoft to find ways to integrate their products that both companies can approve, in the mean time the security specialist feels it is smarter to have its own methods for interacting with PatchGuard at the ready.

The company said it believes the APIs may do more harm than good once available, as the tools may allow less experienced hackers to use the guidelines for creating attacks.

Rather than using the APIs, or allowing access to the kernel as in previous iterations of Windows, ODonnell said that Microsoft should create a certification system for allowing approved drivers to interact with Vistas core.

Read more here about Vista kernel security concerns.

"We do think that PatchGuard is a good idea, but the implementation is not the best," he said.

"The API solution might make it easier to beat Vista, but anything that increases OS security is a good thing; we exist to help protect customers, and anything that advances that effort is helpful for everyone."

Authentium may agree with Symantec and McAfee from a marketing perspective, in terms of demanding that Microsoft not use its monopoly status in the OS market to take over the security applications space, but ODonnell said the companies have overplayed their hand with the PatchGuard controversy.

Telling customers that Vistas features wont allow some of their products to work with the OS may actually benefit smaller companies such as Authentium, he said.

The real reason those companies dislike PatchGuard is because it will drive up the expense of developing their own products, he said, since the kernel protection feature will need to be patched and will force vendors to produce more software updates of their own.

Spokespeople for Santa Clara, Calif.-based Symantec said the company is pleased with Microsofts move to provide new APIs for interaction with PatchGuard, and that it has no plans to attempt to circumvent the feature in its own products.

Next Page: Microsoft defends itself.

Microsoft Defends Itself

However, the company also defends that its own OS anti-tampering and behavior monitoring tools would be too hard to append to Vista in such a manner.

"Those are going to be the ubiquitous technologies for protecting enterprises in the future, and they must interact with kernel," said Symantec spokesperson Chris Paden.

"Microsoft has helped its own cause with customers by cooperating further with the security industry to solve this problem, and they appear to have taken steps in that direction with the new APIs."

At least one industry watcher believes that Symantec and McAfee have developed methods of their own for working with, or circumventing, PatchGuard, and contends that the firms have only kept the heat on Microsoft over the feature to keep antitrust regulators alert to Microsofts continued push into their territory.

Andrew Jaquith, analyst with Boston-based Yankee Group, said that the entire controversy over PatchGuard is nothing more than the security vendors trying to ensure that Microsoft is not allowed to eliminate the need for their own security applications, specifically in the enterprise space.

It is already widely believed that Vistas anti-virus features will have a decimating effect on demand from consumers for aftermarket products filling the same role.

"The point about PatchGuard is less about whether its fair or the right thing to do, or whether it can be bypassed; its really another skirmish in the long-term war by the security companies of keeping Microsofts security activities regulated," Jaquith said.

"Symantec and McAfee will have products that work with Vista available when it ships; they already have products available that work with PatchGuard in Windows XP."

"The vendors do have a point when they say that Microsoft could have come up with a better manner of working with the industry over this feature and others, that didnt leave so much up for interpretation," the analyst said.

"But this is about attempting to regulate a monopolist, and the vendors finding a relatively cheap way to slow down Microsofts move into the security business, and not the technology itself."

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.

Rocket Fuel