Thursday, October 19, 2006

Microsoft to open Kernel Patch Protection for third-party security vendors?

The game of ping-pong between Microsoft and third-party security software vendors seemed to be over last week when Microsoft announced its plan to share the source code of its Kernel Patch Protection mechanism.

Kernel Patch Protection (KPP), also known as PatchGuard, is a new security measure introduced by Microsoft for the Windows Vista x64 operating system. Its goal is to prevent malware from replacing a part of Microsoft's core code with its own, thus exploiting the operating system. An unfortunate side effect, however, is the limitations this places on third-party vendors of security software – limitations that are confirmed by security researchers from around the world.

As early as July 2006, Agnitum, along with fellow firewall provider Sunbelt, raised concerns about the introduction of Kernel Patch Protection; larger vendors like Symantec and McAfee raised the same questions later. As a result, the European Commission issued a warning to Microsoft that it must not shut out rivals in the security software market. The commission asked security vendors about issues they might have with Vista and has confirmed it will take action if it believes Microsoft is breaking antitrust laws.

Given little other choice, Microsoft evidently decided to take a step back -- at least officially. On Friday October 13th, Microsoft said it would modify KPP to let third-party security vendors bypass it with their software and give end users the ability to choose their preferred security supplier. To do this, Microsoft would create an Application Programming Interface (API) to let third-party developers access the kernel and disable the Windows Security Center in Vista.

This certainly sounded promising -- Microsoft did, after all, decide to make the changes after being pushed into a corner by the European Commission and major third-party security vendors. But with Vista due to ship in a few weeks, we weren’t exactly getting a lot of time to provide users with greater choice in their selection of security tools..

I guess we should also have taken note that Microsoft made this announcement on Friday 13th – not a date known for good news over the course of history. Because what did we learn today? According to TechWeb

“Microsoft won't roll out the APIs for PatchGuard in the first edition of Vista, but will unveil them with the first Service Pack. Typically, Microsoft deploys an initial Service Pack 12 to 18 months after the release of an OS.”

We’ve contacted Microsoft to try to get this sorted out. We hope. From Agnitum's point of view, Microsoft has made a positive decision – but we don’t have the API yet to analyze it. And of course the biggest losers here are going to be the users. Unless Microsoft makes good on its original announcement to make the KPP APIs available this week, the likelihood is that Vista will ship with a “choice” of security solutions from one vendor – Microsoft. A company not exactly widely acclaimed for its attention to computer security.

We’ll let you know when we hear back from Microsoft. Stay tuned!

Mikhail Penkovsky,
Director of Sales and Marketing, Agnitum Ltd.


MSFTextrememakeover said...

Your comment that "Kernel Patch Protection (KPP), also known as PatchGuard, is a new security measure introduced by Microsoft for the Windows Vista x64 operating system" is factually incorrect as your own embedded link confirms. Why is it that you and several of your security competitors continue to blatantly misrepresent this fact? Additionally, it's almost comical hearing security companies of all people argue that the ability by 3rd parties to replace kernel code with their own is actually a good thing. No question it's expedient for you and other security providers and makes life easier, but a good thing from an overall OS security perspective either in theory or in practice? Are you kidding me? On the issue of suitable API's to accomplish your needs and in a timely fashion, I support you folks 100%. But on this public campaign of blatant misrepresentation and advocacy for sloppy and insecure programming techniques under the guise of "required", you're losing me.

Hydrans said...

I thought about writing this in a more public place, however then I thought that no one reads the media for really informed comment (nor might this be informed when you get to the end of it).

A simple statement and a point and then a question.

KPP is secure, through the fact that no one but Microsoft has access to the code it (assuming of course that Microsoft source code is secure).

Why would anyone "require" access to alter code, that is secure, that no one can alter, and whilst might not be the most efficient code on the market, is good enough for potentially 95% of the users that choose it over competitors?

If this code is altered through non authorised means, surely an automatic checker, that is completed prior to patch updates, could verify the code, and any illicit code could be removed or the kernel could be replaced immediately. Again remembering if no one, has access to it and it is secure, surely no rational person or company would have an issue with this?

This core code, could be checked by an independent organisation, to ensure that Microsoft, does not gain any unfair business advantage, by allowing collection of personal data about the system, through the checking mechanism.

If the core code, is not efficient, why don't the various software companies that are complaining, collaborate to make the code more efficient, and potentially Microsoft could pay a licensing fee to those partners that are involved in making the core more efficient.

I am not sure if this is possible, it certainly is not logical for the "security" companies, however it does make sense to do this for the consumer, to aid the efficiency of the code, to develop the consumers experience of the software.

I am not a Microsoft lover or hater, but it has to be remembered, that many of these "security" companies make their entire business based on the strength of sales of Microsoft software. If Microsoft was not there would many of the companies that are making the complaints still be there to make the complaints.

Agnitum BLOG said...


Microsoft, Agnitum, McAfee, Symantec, Sunbelt and everyone else involved in the debate have one thing in common – they all agree that Kernel Patch Protection (KPP) and PatchGuard are new security measures introduced by Microsoft for the upcoming Windows Vista x64 operating system. But there’s little agreement beyond that, because Microsoft is arguing that these new measures will prevent unauthorized kernel level access and thus protect users. This, politely, is nonsense.

In June 2006, Microsoft made significant changes to KPP. These changes prevented third-party security software companies from providing protection to users of Vista x64 and Windows XP 64-bit Edition.

Microsoft believes that by doing this it is preventing hackers from breaking open the Windows kernel, a core part of the operating system. However, it is also preventing security providers from providing users with alternatives to Microsoft security tools.

We believe this is an attempt, at least in part, to limit user choice and suppress the market for security tools that do not come from Microsoft. Unfortunately, ironically, users will be less protected in this scenario and the next-generation operating system will be more rather than less vulnerable to attack.

For legitimate software vendors to continue to provide a safe online experience for PC users, those companies currently have to bypass KPP the way hackers do; this becomes the only way for security vendors to provide users with security tools that are a viable alternative to those available from Microsoft. And unlike hackers, security vendors must also ensure that their code is compatible with the underlying OS.

Malware creators face no such requirement. They do not have to provide this compatibility, because they bear no responsibility to their “customers”. Instead, their goal is much easier to achieve and much more straightforward – attack, destroy, replicate and spread.

At the same time, malware creators now have a clear target – KPP. From now on, their "job" is to hack the KPP – a job that is much easier than bypassing dozens of discrete third-party security software tools.

The most critical thing about KPP – as positioned so far by Microsoft – is that from now on all x64 users will have to rely on one and only one security tool. This is like putting the same lock on all doors for all the houses in the world and hoping they would hold all burglars at bay. As hackers discover how to break into and bypass the KPP, this will automatically expose all users to the highest security risk conceivable. They will be forced to rely on the ability of Microsoft and only Microsoft to deliver weekly, monthly and out of-cycle patches that often lag behind hackers by a margin of days, if not weeks, while waiting for Microsoft to plug the kernel-access vulnerabilities that Microsoft created.

This is scary. No one should be relying on Microsoft and only Microsoft for their security.

Mikhail Penkovsky,
Director of Sales and Marketing, Agnitum Ltd.

MSFTextrememakeover said...

"Microsoft, Agnitum, McAfee, Symantec, Sunbelt and everyone else involved in the debate have one thing in common – they all agree that Kernel Patch Protection (KPP) and PatchGuard are new security measures introduced by Microsoft for the upcoming Windows Vista x64 operating system."

MSFT agrees with that? Doesn't sound like it:

"No one should be relying on Microsoft and only Microsoft for their security."

Talk about a straw-man argument. How come Sophos doesn't see a problem with KPP? Apparently, no one should be relying on you for accuracy or objective truth.

Anonymous said...

MSFT ExtremeMakeOver needs to takes to a break from sucking so hard on MicroSoft's private parts; it's obviously damaging his brain.