Windows' Patchguard Hinders Security Vendors 187
eldavojohn writes "Windows' PatchGuard seems to be upsetting third party security vendors such as Symantec, Sana Security and Agnitum. It sounds like the 'black hats' will be able to bypass this security feature (which will be in all copies of Vista) but force security software companies to give up developing software for Windows. From the article: 'PatchGuard will make it harder for third parties, particularly host intrusion-prevention software, to function in Vista,' said Yankee Group analyst Andrew Jaquith. 'Third parties have two choices: continue to petition Microsoft to create an approved kernel-hooking interface so products like theirs can work, or use "black hat" techniques to bypass the restrictions.' Apparently, using these techniques is not a difficult trick."
Oh noes! (Score:5, Insightful)
C'mon, get a grip. Despite the fact that this is a dupe, it still angers me that the 'major' pc protection companies can't deal with windows actually securing itself. They would actually consider using blackhat techniques instead of the provided methods? They'd be fools, too. Any blackhat technique they use would be immediately patched by Microsoft. Doesn't take a genius to see that.
Re:Oh noes! (Score:2, Funny)
Any blackhat technique they use would be immediately patched by Microsoft.
Yes, they could patch. Or (and it's probably obvious, but IANAL) if they want to be "legally" anti-competitive, they could always claim that third-party vendors are violating the DMCA by using said techniques...
Re:Oh noes! (Score:2)
Re:Oh noes! (Score:4, Interesting)
Re:Oh noes! (Score:5, Insightful)
Re:Oh noes! (Score:5, Insightful)
Well, history tells us that the likelihood of Windows actually securing itsself is pretty slim.
If they could use black hat techniques, then it wouldn't be secure now, would it?
Having said that, it's a catch-22. If Windows implements an approved kernel hook for the antivirus companies, it will get exploited. If they don't, then no antivirus software, but just as many virus writers.
Wether or not Microsoft is going to help 3rd parties sell software to secure Windows, there will be people doing the same things they do now. Except in that case, the consumer is on their own and waiting for Microsoft to stop them from getting pwn3d.
Cheers
Re:Oh noes! (Score:3, Interesting)
I just felt it had to be said but : Since when can you not totally mess up a Linux system when you're running software as root?
I don't see local software running as root and therefore having root permissions as "a security hole". The only security holes I worry about is elevated permissions and unauthorized installs such as the 0-day IE exploit and buffer overruns.
While I'm glad MS is s
Re:Oh noes! (Score:4, Interesting)
Absolutely you can. But, if I choose to install software, I can decide that I trust it, and want it running as root. But the rest of the time, I'm logged in as a user who doesn't have root priveleges, and can't bork anything but my own stuff. If the user wishes to install kernel-level software, they're allowed. I've ran apache as both userland and root, except for which ports it can bind to, apache doesn't care.
That has always been the problem. You simply can't do anything on windows without being the admin, because so much crap just expects to have it, and fails if it doesn't. And then every damned website you visit which has an exploit is the administrator. Whee!! How fun!
Back in the day, if I wanted some software on a UNIX machine, and the cranky UNIX admin said "leave me the fsck alone", I could still untar it into my own directory, set my path variable (give or take one or two more) and just run it. The software ran just fine in userland, and was isolated from the OS. It could hose my files, but not the system.
Same deal on a Mac, the folder which was the install was the whole app. You could move it or delete it -- deleting was uninstalling basically. On Windows, every bloody piece of software expects to be able to write to the registy, install itsself for every user, demands that it write to Program Files, and possibly muck with some stuff in the Windows folders. Because that's how you're expected to do these things.
The fact that you can't do anything in Windows without being the admin has always been a major source of problems. If they had a model whereby users could install software into their own "user programs" or somesuch, and that was separated from the rest of the damned OS, these things couldn't happen.
However, as long as MS sticks with the way they have envisioned the world, preventing people from having kernel hooks (unless you use black hat methods) is kind of an empty solution, because it doesn't address the bigger problem of needing to be the Administrator to accomplish anything on a Windows machine.
Cheers
Re:Oh noes! (Score:3, Interesting)
And its not a matter of being insecure at the software level, its a matter of bad practices implemented to make things convenient for "low knowledge users" in home environments.
While I get what you're
Re:Oh noes! (Score:3, Interesting)
First off, I agree with everything you said in both posts.
It just has the effect that the system is highly insecure because of the design, which is no better.
Re:Oh noes! (Score:2)
Re:Oh noes! (Score:5, Interesting)
I agree, but theres no *point* in doing anything in Windows without being admin.
There is no point in running Windows as a non-priviledged user.
If you doubt my word, log into your favorite Windows as your unpriviledged user and set up a scheduled task to run cmd.exe
When the scheduled task runs and you get a command window try and see what you *cannot* do on the system...
(I used to put a great deal of effort into running as an unpriviledged user; I spent hours trying to get games to run without having to be Admin. It seems that I totally wasted my time. Thanks, Bill.)
Re:Oh noes! (Score:2)
And games not running as admin is (usually) not Bill's fault. Blame copy protection for that one.
Re:Oh noes! (Score:2)
Re:Oh noes! (Score:2)
Administrative Tools -> Computer Management -> Local Users and Groups
Or, alternatively, for the actual old Control Panel dialog:
Start -> Run -> control userpasswords2
Want to access the (much more powerful) ACL-based File Sharing and Security from 2000 rather than the simple one presented by default in XP? You need Pro, but:
M
Re:Oh noes! (Score:2)
Scheduling system tasks is a privilege account, not allowed in XP (at least not XP SP2).
Admin (Score:2)
Administrator accounts in Vista are much better handled than in XP. Even when you're logged on as an administrator in Vista, you run with user priviliges. Should a program actually NEED your admin powers, a little dialog box pops up whenever a program tries to use admin priviliges. (It's a little annoying, but it doesn't happen as often as you'd think and it's much more secure.) When on an strictly userland account, this box also has a prompt for the admin password.
For games and other programs that pr
Re:Oh noes! (Score:2)
Wonderful
Drivers (Score:2)
If Windows implements an approved kernel hook for the antivirus companies, it will get exploited
Not exactly - Windows Vista breaks a lot of hardware support by forcing most drivers to exist in user mode instead of kernel mode. This keeps the system more stable because a crappy driver running in user won't bluescreen the computer and besides, your printer driver doesn't need to be in ring 0 anyway.
Most antivirus software uses a kernel mode driver to implement "on-access" scans or to see past a user-mo
Re:Oh noes! (Score:5, Interesting)
Whether MS' technique works or not, it's bad for us as it limits our choices.
Of course I'm sure neither of these is a concern to symantec, only that they'll make less money, but they are still valid arugments to consider.
Re:Oh noes! (Score:5, Interesting)
Microsoft moves into system security (with their firewall, spyware tool, and I think they recently bought an AV company), and then sets up a 'security' feature that just happens to block out their competitors?
Yeah... that smells pungent to me.
Re:Oh noes! (Score:2)
I'm sorry, but this is exactly the sort of bullshit monopoly laws exist to prevent: a company with an excessive amount of market share abusing its position in an attempt to exclude its competitiors.
If the above is actually your position and not a post with the intent of making fun of the Billy's Bitches Club, you have to realize that posting something of that kind of rediculous petulance only serves to make your entire argument seem... well, pathetic.
If it is sarcasm making fun of the MS Fanclub, you sh
Re:Oh noes! (Score:5, Insightful)
In all of this, Microsoft forgets the most important thing -- It's my freakin computer! If Microsoft hinders me from getting done what I (remember me? I'm the consumer) want, then I have to reconsider my OS decision -- which I did -- about 5 years ago -- and never looked back.
Re:Oh noes! (Score:2)
Well, then, maybe Microsoft will have to do the "charitable" thing and help out poor old Symantec like they did Apple and Borland to keep the monopoly monster away?
Re:Oh noes! (Score:2)
Re:Oh noes! (Score:2)
Re:Oh noes! (Score:3, Insightful)
Immediately? I think you're being a bit generous.
Re:Oh noes! (Score:3, Interesting)
I heard this too going from Windows 98 to XP. Still waiting. Vista will be no different.
They would actually consider using blackhat techniques instead of the provided methods? They'd be fools, too.
Isn't this exactly what AV and firewalls already do? There is no open easy M$ official way to do any of these security functions is there? Wrapping a DLL here, swapping out a registry entry there isn't much different than a root
Re:Oh noes! (Score:2)
[cough] insmode [/cough]
(user as in ring 3, not user as in user vs. root)
Re:Oh noes! (Score:3, Interesting)
M$ is finally doing what UNIX/Linux/BSD has enjoyed for many years, user processes should not be able to modify OS stuff! Hurray, M$ finally gets the idea!
So here's the problem, certain things do need to modify "OS Stuff." What if I want to run a hypervisor, or to kernel level process monitoring? On Linux you install a new kernel module or recompile a custom kernel. On Windows, there is no official way to do this, so companies that traditionally have relied upon this must move to unofficial mechanisms. C
Re:Oh noes! (Score:2)
Re:Oh noes! (Score:2)
You're right. But I also see the solution in your message. Read it over a few times, and you'll get it.
If you're thinking switching away from Windows is the solution, you're missing the big picture. Because of their monopoly MS can do things like this that hurt consumers, but the artificial benefits to staying or problems with switching still make staying on Windows the right business case for the majority of people. If we simply had a free market, consumers would have switched already, but we don't. Mon
Re:Oh noes! (Score:2)
Me too, but it makes business sense: the whole "pc protection" industry is based on the fact that Windows is insecure. Of course they are upset if Windows is getting more secure, and they will do everything in their power to prevent this.
I think the point is... (Score:2)
I think the point is that Windows IS NOT actually securing itself. If it's easy for black hats to get around it how can it be "Secure?"
windows has no security from Microsoft (Score:2)
Recently, I was forced onto SP2 (new computer, old computer died, even linux won't run on the new system -- doesn't see the SAS Harddisk at all nor the Gigabit Broadcom ethernet; I'm sure it will be supported in 12-18 months
But one of the brilliant things I noticed about their "security upgraded XP" was that it seemed to "disable" most of
Re:Oh noes! (Score:2)
does this mean... (Score:5, Funny)
Re:does this mean... (Score:2, Funny)
Have I been watching 'The Simpsons' too long?
Re:does this mean... (Score:2, Funny)
We all have. About 10 years too long IMHO.
Should be an optional feature. (Score:5, Insightful)
Re:Should be an optional feature. (Score:2, Interesting)
Re:Should be an optional feature. (Score:2)
Huh?
Where are my programs?
And for the life of me i can't find the END button and the off button on my computer doesn't seem to function under windows
All they gave me was a button labeled START but the computer is already started.....
Meanwhile i will wait for the VISTA-EU edition after they make MS provide a functioning interface
Re:Should be an optional feature. (Score:4, Insightful)
Re:Should be an optional feature. (Score:5, Insightful)
Re:Should be an optional feature. (Score:2)
Optional seccurity features are useless (Score:4, Interesting)
Re:Optional seccurity features are useless (Score:2)
Why does this sound familiar? (Score:5, Insightful)
This was meant to be an "effective" means to stop viruses, but it served more to force licensing fees out of companies which provide security solutions and to stop independent tinkerers (also known as "good" hackers) from providing cool kernel mods for power users.
What? Did you run out of kayak stories ??? (Score:2, Funny)
What? Did you run out of kayak stories ??? What sort of place is this anyway ?
Microsoft have their own security product - so DUH (Score:2)
The rule is: If you are in the business of doing X - then Microsoft announce that they are getting into doing X - then you'd better find a way to do Y instead. In the absence of government intervention, an illegal monopoly can do pretty much whatever they heck they like.
Re:Microsoft have their own security product - so (Score:2)
Do you have anything to actually back this up, or is this just your speculation??
Re:Microsoft have their own security product - so (Score:2, Informative)
Windows Live OneCare [windowsonecare.com] service?
Re:Microsoft have their own security product - so (Score:2)
The free AV products. Avast is very good and has actually caught infected files that Symantec ignored on my customers' PCs. I see no reason to pay M$ $50/yr if free products that are likely just as good as *their* software are available.
-b.
Re:Microsoft have their own security product - so (Score:2)
Consider this series: "OneCare" -- "MonoCare" -- "Monopoly"
"No more worrying about different versions of your antivirus software."
Debugger Disables (Score:5, Interesting)
Also, given the fact that MS intends to making patching the standard for releasing a secure OS, the vendors can't really do this kernal checking themselves. Thus, I think it's safe to say from the perspective of this article, the OS's kernel is patchable by anyone.
Blackhat techniques (Score:2, Interesting)
Symantec should be glad that Vista will have this ineffective security layer, so they
Micro$oft and Control (Score:2, Insightful)
Re:Micro$oft and Control (Score:2)
To Save a Village... (Score:2)
Re:To Save a Village... (Score:2)
Why not? Picture a heavy steel door with no holes in it, but secured by a thin plastic deadbolt. Cut a hole in the door and put in a proper deadbolt, and it'll become more secure.
-b.
Dance puppets dance (Score:3, Funny)
2) New multi-billion $$ industry sprouts for the sole purpose of securing said OS.
3) Insecure OS company institutes blatantly obvious absolutely worthless security "features".
4) No longer new multi-billion $$ industry complains because new BS security measures are worthless & the new features steal their pennies.
4.5) Linux zealot chimes in on how these issues are not issues under their chosen OS.
5) Horribly insecure OS company forms new multi-billion $$ industry to secure their horribly insecure OS in a proprietary fashion.
6) Balmer covers the $1 he owes Gates for the bet they made on whether or not they can steal the billions from the industry that wouldn't exist had it not been for them & their lax attitude toward secure coding practices while blaming the whole fiasco on Google & Linux all the while creating a brand spanking new completely worthless multi-billion $$ proprietary industry. (Thank you Mortimer, er I mean Balmer)
Re:Dance puppets dance (Score:2)
I still firmly beleive that as a matter of averages, OS security is based on a few different things:
The current market share. The company with the largest slice will be the largest target for..everything. The technical prowess of the people responsible for coding the exploits for said market leader. It is BY DESIGN that Windows has more security issues. Linux and OSX users are automa
Doesn't affect me (Score:2)
Misleading summary (Score:2)
The linked webpage contains a bunch of "techniques" which are mostly
"If we find a bug in this system call, PatchGuard will be worthless!"
along with a few
"This disables PatchGuard in the current beta build of Vista!"
Obviously... (Score:2)
I don't see what the big deal is (Score:2, Insightful)
What if windows ever did secure itself? (Score:2, Insightful)
Many people knock windows for being insecure, but it's not like Microsoft WANTS it to be that way. No, the people who want it to be that way are the "security" companies. Anti-virus companies have profitted from security flaws and viruses alike for many years now, and it has begu
Re:What if windows ever did secure itself? (Score:3, Informative)
The Windows security problems are Microsoft's own fault, and at a FAR more fundamental level than merely flawed implementation.
The problems began because Windows began as a GUI shell on top of a single-user program loader. There's an old adage, "Those who don't understand Unix are doomed to reinvent it - poorly." Multi-user wasn't in there at the beginning, and retrofits were awkward. I realize that the NT kernel is a true multiuser k
Re:What if windows ever did secure itself? (Score:2)
New MS Crack House (Score:2)
Mom & Pop buyers will be okay with this because they'll pay MS every month like they pay a cable tv bill. The software monoculture pretty much dictates that their machine will be zombies anyway.
This works out great for me because I will have -plenty- of
The whole "patchguard" concept is bogus (Score:4, Interesting)
The whole "PatchGuard" concept shows how broken Microsoft's approach to an OS has become. The whole concept is to catch changes made by programs which already have full access to kernel space. By checking every five or ten minutes for a change, no less. That's inherently a futile exercise. It may break some current exploits, but it won't break new ones. Any program that has access to kernel space can take over the machine. It could load a whole new OS if it wanted to.
The whole concept of add-on programs having access to kernel memory is so insecure that it has to go. UNIX and Linux limit it to loadable drivers, and the serious microkernels like QNX and IBM's VM don't allow it at all. But the Microsoft world, mostly for historical reasons, has all sorts of crap running with access to kernel memory, from various "security programs" to game DRM components. All that crap should have been taken out in Vista. The fact that it wasn't indicates how minor a change at the kernel level Vista is over XP.
Re:The whole "patchguard" concept is bogus (Score:2, Insightful)
This sounds like what they are doing...
2) Get rid of that stupid Registry, which is nothing but
Re:The whole "patchguard" concept is bogus (Score:2)
Not enough. Do something like the following:
Ring 0 - Kernel, MS signed only
Ring 1 - Drivers
Ring 3 - Userland
Give up on the 2 modes, that's a backward compatibility hack for a port that doesn't exist any more.
Re:The whole "patchguard" concept is bogus (Score:2)
these third-party companies wouldn't even exist (Score:2, Interesting)
Exactly what do you consider difficult? (Score:2)
You keep using that word. I do not think it means what you think it means.
Ahem... (Score:2)
So what we're really saying is... (Score:2)
But it's for your benefit?
Get over it (Score:2)
On the one hand they could make kernel hooks available to vendors and perhaps secure their use with code signing or something. Then the AV companies would be happy; but it would only be moments before some blackhats found away to expoloit the system and make their code look legit. Once it is exploited M$ is again accused (fairly) of produ
Re:Get over it (Score:2)
Exactly! I mean, that's how BSD and Linux do it... isn't it?
Re:Why would microsoft bother? (Score:4, Funny)
Re:Why would microsoft bother? (Score:2)
Re:Why would microsoft bother? (Score:5, Interesting)
Certificates of trust already exist in Windows. They're used by web browsers. It would be trivial to use the code that is already present to check for a valid certificate. The second layer of protection - requiring the user/IT department to countersign the patch - would make transparent breakins much harder. Not impossible, but definitely much harder.
Of course, this is all pointless these days, anyway. All a rootkit writer has to do is develop a mini hypervisor or hijack one already in use. For zombies, viruses, etc, you'd then have the externally-visible interfaces in the OS and everything else concealed outside. BIOS viruses could also be quite lethal, as they too would bypass this protection. Far too low a level for the OS to detect. These days, with graphics processors essentially being parallel CPUs, I'm surprised nobody has put a virus on the graphics card. If the PCI is multi-mastered (not uncommon on higher-end machines), then the card could control all the other devices without going through the OS at all, giving a virus that could inhabit that space ABSOLUTE power over the machine.
Re:"using these techniques is not a difficult tric (Score:2)
However, 64 bit windows is incompatible with 32 bit kernel mode drivers (the speed penalty would be too great). Users and vendors know that at least recompilation will be necessary, and this gives Microsoft an excuse to redesign the relevant APIs.
IIRC, linux driver developers know that binary compatibility is, at best, a nice bonus. This understanding allo
Re:"using these techniques is not a difficult tric (Score:2)
Think about this the next time you complain about the lack of drivers for Linux. Sure, some of have are proprietary. Some are never going to be developed because the company couldn't care less. But many other would be developed if only binary
Re:"using these techniques is not a difficult tric (Score:2)
Re:Another law suit... (Score:2)
And what will they do when Windows looses market share ( and it will because it will be in the position of being the only door maker that cannot put lock on its doors because of the bouncer union ) Request Linux providers and Apple to provide their OS configured with root as default ?
Re:Another law suit... (Score:2)
If I want to replace the default door locks on my door with Medeco locks, I should be able to.
(and as far as analogies go, "Operating systems are doors" is about as stupid as "The Internet is made of tubes")
Re:Another law suit... (Score:2)
Re:Another law suit... (Score:2)
Depends what distribution. AFAIK, in Ubuntu, root isn't enabled by default and you do system admin tasks through a sudo-like mechanism that elevates your permissions temporarily.
-b.
But do they? (Score:2)
I could be wrong, but I get the impression that a lot of the Microsoft lawsuits go that way. They "lose", but meanwhile, they've crushed their opposition beyond repair, which overall makes them money.
Re:If Microsoft were serious about security... (Score:2, Informative)
Every GUI OS understands the concept of file -> application mappings. Most use file exte
Re:If Microsoft were serious about security... (Score:2)
Are you really stupid enough to open executable files just because they have a text file icon and display "readme.txt" as the name? I'm not, but then again I don't use an OS where such brain-damaged behaviour is the default setting.
Re:Why do anti-virus applications need kernel acce (Score:2)
Without that ability, a well-written piece malware can hook into the routines that the anti-virus program uses and filter results or otherwise disable its detection mechanisms. Even if the anti-virus tries to hook the kernel, and is loaded after the malware, it's starting from a severe
Re:Why do anti-virus applications need kernel acce (Score:2)
I guess it'll be a wait and see if these measures will work or not... if the kernel security system, coupled with the non admin use, works as intended, then the AV programs won't be an issue to begin with
Re:Please get it right (Score:2, Informative)
Re:"Security Software" vs. "Trojan" (Score:2)
http://tools.ietf.org/html/rfc3514 [ietf.org]
Re:"Security Software" vs. "Trojan" (Score:2)
Re:"Security Software" vs. "Trojan" (Score:2)
Don't Drink the Water (Score:2)
Go listen to "Don't Drink the Water" by the Dave Matthews Band (sorry I can't include a link to the audio file, you know how it is, but the text is on-line [lyricsfreak.com]) and think about how the words apply here. Chilling.