Microsoft Decries Vista PatchGuard Hack

The software giant said Authentium should reconsider its approach, and contends that attempts by other vendors to bypass the controversial Vista kernel security feature could lead to problems for users.

Download the authoritative guide:

Microsoft officials say they are unhappy that security software maker Authentium has decided to bypass the controversial PatchGuard kernel protection feature in its next-generation Vista operating system, and said that the tactic could lead to eventual problems for users of the companys software.

Responding to Authentiums move to circumvent PatchGuard in its products, company officials said that the decision to hack the feature could prove unwise for the security vendor as Microsoft will work to close off any flaws that allow unauthorized kernel interaction, making technologies dependent on such access obsolete.

As a result, users of applications that circumvent PatchGuard could find themselves unprotected from attack, or dealing with other problems driven by a lack of authorized integration between Vista and those products.

"Microsoft is aware of public reports of ways to subvert the kernel in Windows Vista and has addressed them in current builds; however, we have not received any other reports of ways to subvert the kernel in existing builds of Vista," said Adrien Robinson, director of Microsofts Security Technology Unit.

"If a vulnerability is discovered in Kernel Patch Protection, Microsoft will issue a security update as part of the standard Microsoft Security Response Center process."

Further, Robinson said that the use of tools that bypass PatchGuard could leave end users PCs less secure as the technique could reduce the ability of Vistas onboard systems defense tools to identify and fend off rootkits and other forms of malware.

In order to preserve the integrity of the operating systems features, security software makers should use the APIs provided by Redmond, Wash.-based Microsoft, rather than create their own methods for integrating with PatchGuard, she said.

While Vista isnt expected to arrive on the market until November, PatchGuard is already in use on 64-bit versions of Microsofts existing Windows XP software.

"We continue to encourage all software vendors to work with Microsoft on supported design approaches that work with Kernel Patch Protection to ensure that customers can have a secure and reliable computing experience on Windows Vista and Windows XP 64-bit systems, rather than putting customers at risk by developing approaches to try to bypass Kernel Patch Protection and as a result reduce the security protection of Windows," Robinson said.

PatchGuard has touched off a high-profile debate between Microsoft and security software makers over the technologys implications.

/zimages/6/28571.gifRead more here about PatchGuard security concerns.

Some companies, including security software market leaders Symantec and McAfee, have complained that the feature makes it impossible for some of their cutting-edge technologies to interoperate with Vista.

The feature is meant to block any application from accessing, or "hooking" Vistas kernel commands, a technique used by vendors in anti-tampering and behavior monitoring tools, and used by hackers in attacking computer systems with rootkits.

Symantec and McAfee claim the technology will greatly reduce the efficacy of their own applications, but Microsoft has promised the companies a new set of APIs that will allow their products to work without hooking the Vista kernel.

Authentium took matters into its own hands, saying that it will work with Microsoft on the new APIs, but continue to develop products that bypass the feature in order to have Vista security applications available as soon as the OS is shipped.

/zimages/6/28571.gifClick here to read more about Authentiums new version of its flagship product that circumvents the PatchGuard kernel protection technology.

While some industry watchers contend that Symantec and McAfee are making noise over PatchGuard in order to keep regulators focused on Microsofts continued push into the security applications space, Authentium executives said their companys strategy is based purely on the goal of providing adequate protection for end users.

PatchGuard is a good idea, but the company cannot afford to wait for Microsoft to provide APIs that give its products necessary access to the kernel in order to do their jobs, said Corey ODonnell, vice president of marketing at Authentium, based in Palm Beach Gardens, Fla.

"Were not going to sit here and tell Microsoft to write a hole-filled product to keep us in business, but there will be hackers who beat PatchGuard, regardless," ODonnell said.

"Our solution to work around PatchGuard may be seen as detrimental, and Microsoft will patch it and we will need to reengineer, but our focus is on protecting customers, and this is what we needed to do in order to do that right now."

When a program of any kind attempts to modify the kernel on a system running PatchGuard, the computer produces a blue screen and stops all other Windows applications from running.

Authentium said its workaround allows it to access the kernel without incurring the shut-down.

The company specifically said that it is using an element of the kernel meant to help the OS support older hardware to bypass the feature.

The loophole allows the companys tools to infiltrate Vistas kernel hooking driver, and get out, without the OS knowing the difference.

Authentium isnt the only party to contend that PatchGuard can be bypassed easily. A security researcher associated with the Metasploit Project has already published an essay of the IT exploit research site that proposes several different techniques that could be used to circumvent PatchGuard.

/zimages/6/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.