Once again, before Vista even ships, PatchGuard has been hacked, proving again that relying on Microsoft and only Microsoft to protect users of the x64 versions of Windows Vista is just flat out not going to work.
As I have noted in this blog before, this is like putting the same lock on all doors for all the houses in the world and hoping they would hold all burglars at bay. As hackers discover how to break into and bypass the KPP, all users will automatically become unprotected and face the highest security risk conceivable. They will be forced to rely on the ability of Microsoft and only Microsoft to deliver weekly, monthly and out of-cycle patches that often lag behind hackers by a margin of days, if not weeks, to plug the holes in Vista that Microsoft left open.
At the Black Hat conference in August 2006, malware experts saw one way to break into the Vista kernel. As a result, Microsoft was forced to patch Kernel Patch Protection.
This week, as reported by eWeek and several other news organizations, KPP has been hacked again. This time security software maker Authentium reported that a new version of its Authentium ESP Enterprise Platform product can bypass Kernel Patch Protection in Vista x64.
Microsoft has furiously reacted to the news confirming it will issue a fix as part of the standard Microsoft Security Response Center process. That means that virtually all x64 users are vulnerable until Redmond releases that patch.
Let’s underline the irony here. PatchGuard is supposed to make x64 Vista invulnerable – but Microsoft has to patch it, for the second time, even before Vista officially ships?
This is not the price users should be asked to pay to stay secure.
“Good intentions lead to hell,” as the saying goes, and this is what is happening with Microsoft’s decision to “improve” the security of its operating systems by making it impossible for robust third-party security solutions to interoperate with Vista.
Mikhail Penkovsky,
Director of Sales and Marketing, Agnitum Ltd.
Friday, October 27, 2006
Wednesday, October 25, 2006
Microsoft's Maginot Line?
Sunbelt's Alex Eckbelberry has come up with another interesting angle on the Microsoft Kernel Patch Protection (KPP) issue.
What happens to x64 users when a new and unknown threat comes along (as happens all too frequently these days)? As Alex says, "PatchGuard creates a barrier to the kernel, against which security vendors (the major defensive bulwark for Microsoft) can't get in to to help the operating system against an attack, at least without permission through APIs."
Excellent article, Alex - and yet another proofpoint (if one was needed) that Microsoft needs to open up the PatchGuard APIs now, not 18 months down the road. How many new security threats do you think will happen in the next year and a half?
Mikhail Penkovsky,
Director of Sales and Marketing, Agnitum Ltd.
What happens to x64 users when a new and unknown threat comes along (as happens all too frequently these days)? As Alex says, "PatchGuard creates a barrier to the kernel, against which security vendors (the major defensive bulwark for Microsoft) can't get in to to help the operating system against an attack, at least without permission through APIs."
Excellent article, Alex - and yet another proofpoint (if one was needed) that Microsoft needs to open up the PatchGuard APIs now, not 18 months down the road. How many new security threats do you think will happen in the next year and a half?
Mikhail Penkovsky,
Director of Sales and Marketing, Agnitum Ltd.
Tuesday, October 24, 2006
Microsoft (Ab)uses Google to Mislead Users Searching for Third Party Software Info
Yesterday Alex Eckelberry, CEO of fellow third-party Windows security vendor, Sunbelt Software, posted an interesting example of how Microsoft uses trademarks it does not own in its online advertising.
In this particular example, Microsoft uses “Webroot” and “SpySweeper” as keywords in a Google AdWords campaign to target users looking for security software. “Webroot” and “SpySweeper” are both trademarks held by Webroot Software.
We made a similar discovery three months ago. Microsoft does the same thing with our trademarked product Outpost Firewall Pro - see the screenshot below. To try this yourself, type “outpost firewall” into Google and see what happens.
Disclaimer: Note that in some part of the world, you will not see the ad
Although this is not new search engine advertising tactic, it is something unusual to expect from Microsoft, isn’t it?
We have already contacted Google to block any advertising, including that from Microsoft utilizing our trade-mark identity. We are awaiting this to be resolved in the nearest future.
Alexander Kariagin,
PR and Marketing manager, Agnitum ltd
Monday, October 23, 2006
Will Microsoft Shut Out Internet Security Competition By 2008?
Like many Internet security vendors, we’ve been closely watching Microsoft’s latest actions with regard to Kernel Patch Protection (KPP). It’s our conclusion (and no doubt the same conclusion has been reached by many other vendors), that Microsoft’s promise to release its API will have little or no effect on a situation some security experts are already calling “shutting down the competition in the Internet Security market”. Hallowe’en is coming soon, but the prospect of end users relying on Microsoft for Internet security is much scarier, in our view.
The official story:
As early as July 2006, we raised concerns about the introduction of Kernel Patch Protection; larger vendors like Symantec and McAfee raised the same questions later. As a result, the European Commission issued a warning to Microsoft that it must not shut out rivals in the security software market. The commission asked security vendors about issues they might have with Vista and has confirmed it will take action if it believes Microsoft is breaking antitrust laws.
Given little other choice, Microsoft evidently decided to take a step back -- at least officially. On Friday October 13th, Microsoft said it would modify KPP to let third-party security vendors bypass it with their software and give end users the ability to choose their preferred security supplier. To do this, Microsoft would create an Application Programming Interface (API) to let third-party developers access the kernel and disable the Windows Security Center in Vista.
The real facts:
Last week – as reported by TechWeb and eWeek, among others -- we learned that Microsoft won't roll out the APIs for PatchGuard in the first edition of Vista, but instead now plans to deliver the APIs with the first Service Pack to Vista. This promises to be a long wait, because, typically, Microsoft doesn’t deploy an initial Service Pack until 12 to 18 months after the first release of an OS.
Consequences:
Why is it so risky to use KPP to provide kernel security for computers running Vista x64 rather than a third-party security solution?
Here’s an analogy. Today, every house has a different lock on its front door; in the same way, you can use any security product you want to protect your computer. Now imagine if every house in your city were required to use the exact same lock on its front door. As soon as a burglar figures out how to crack that lock, he can freely enter and steal from any house. This is what 64-bit Windows security will look like with PatchGuard.
This is not just a bad science-fiction movie. Microsoft was apparently embarrassed into changing Kernel Patch Protection after malware experts attending the Black Hat conference in August 2006 saw a presentation that demonstrated how to break into the Vista kernel.
How does that inspire confidence? How does that better protect users?
If it isn’t already happening, every cyber criminal in the world will target Kernel Patch Protection. If Microsoft gets its way, the only protection 64-bit OS users will have will be to totally depend on how fast Redmond is able to release security patches.
If history is any indicator, we’re in for a long series of “patch Tuesdays.”
Why is Microsoft doing this?
We believe that Microsoft is executing a series of logical steps aimed at shutting down the competition and winning a significant share of the security software market. The classic series of “Competitive Strategy” books by Michael E. Porter state that one of the best methods to secure your market position is to create technology barriers that prevent your competitors from entering the market.
Since x64 computers are just starting to enter the market, it also makes sense for Microsoft to focus on this segment. They are clearly expecting fewer objections from the competition in this space, as it will take a couple of years for the majority of users to migrate to x64.
At this point, it’s not clear whether Microsoft’s strategy with respect to Vista x64 and Kernel Patch Protection measure is legal – that’s being considered by the European Commission and other legislative bodies. What really bothers us as a security vendor is the fact that Microsoft is using its position of power to make all users rely on Microsoft and only Microsoft to secure their systems.
Every “patch Tuesday” proves again that a choice of one vendor is no choice at all.
In security, this is especially true. Microsoft’s Kernel Patch Protection is already broken. It is going to be attacked continually – and broken again and again.
What should users do?
Our best recommendation at this point is to not move to 64-bit computing under Windows Vista until Microsoft provides third-party security vendors with the ability to give you, the customer, a choice in whose security software you use.
Mikhail Penkovsky,
Director of Sales and Marketing, Agnitum Ltd.
The official story:
As early as July 2006, we raised concerns about the introduction of Kernel Patch Protection; larger vendors like Symantec and McAfee raised the same questions later. As a result, the European Commission issued a warning to Microsoft that it must not shut out rivals in the security software market. The commission asked security vendors about issues they might have with Vista and has confirmed it will take action if it believes Microsoft is breaking antitrust laws.
Given little other choice, Microsoft evidently decided to take a step back -- at least officially. On Friday October 13th, Microsoft said it would modify KPP to let third-party security vendors bypass it with their software and give end users the ability to choose their preferred security supplier. To do this, Microsoft would create an Application Programming Interface (API) to let third-party developers access the kernel and disable the Windows Security Center in Vista.
The real facts:
Last week – as reported by TechWeb and eWeek, among others -- we learned that Microsoft won't roll out the APIs for PatchGuard in the first edition of Vista, but instead now plans to deliver the APIs with the first Service Pack to Vista. This promises to be a long wait, because, typically, Microsoft doesn’t deploy an initial Service Pack until 12 to 18 months after the first release of an OS.
Consequences:
Why is it so risky to use KPP to provide kernel security for computers running Vista x64 rather than a third-party security solution?
Here’s an analogy. Today, every house has a different lock on its front door; in the same way, you can use any security product you want to protect your computer. Now imagine if every house in your city were required to use the exact same lock on its front door. As soon as a burglar figures out how to crack that lock, he can freely enter and steal from any house. This is what 64-bit Windows security will look like with PatchGuard.
This is not just a bad science-fiction movie. Microsoft was apparently embarrassed into changing Kernel Patch Protection after malware experts attending the Black Hat conference in August 2006 saw a presentation that demonstrated how to break into the Vista kernel.
How does that inspire confidence? How does that better protect users?
If it isn’t already happening, every cyber criminal in the world will target Kernel Patch Protection. If Microsoft gets its way, the only protection 64-bit OS users will have will be to totally depend on how fast Redmond is able to release security patches.
If history is any indicator, we’re in for a long series of “patch Tuesdays.”
Why is Microsoft doing this?
We believe that Microsoft is executing a series of logical steps aimed at shutting down the competition and winning a significant share of the security software market. The classic series of “Competitive Strategy” books by Michael E. Porter state that one of the best methods to secure your market position is to create technology barriers that prevent your competitors from entering the market.
Since x64 computers are just starting to enter the market, it also makes sense for Microsoft to focus on this segment. They are clearly expecting fewer objections from the competition in this space, as it will take a couple of years for the majority of users to migrate to x64.
At this point, it’s not clear whether Microsoft’s strategy with respect to Vista x64 and Kernel Patch Protection measure is legal – that’s being considered by the European Commission and other legislative bodies. What really bothers us as a security vendor is the fact that Microsoft is using its position of power to make all users rely on Microsoft and only Microsoft to secure their systems.
Every “patch Tuesday” proves again that a choice of one vendor is no choice at all.
In security, this is especially true. Microsoft’s Kernel Patch Protection is already broken. It is going to be attacked continually – and broken again and again.
What should users do?
Our best recommendation at this point is to not move to 64-bit computing under Windows Vista until Microsoft provides third-party security vendors with the ability to give you, the customer, a choice in whose security software you use.
Mikhail Penkovsky,
Director of Sales and Marketing, Agnitum Ltd.
Friday, October 20, 2006
Is it possible to shut down security software?
Guillaume Kaddouch, owner of the popular security website www.firewallleaktester.com, recently conducted a range of what he calls “termination tests”, in which he tested how thirteen different security software products handle attempts by external applications to shut them down.
The termination tests simulate the activity of a virus, Trojan or spyware program that first shuts down security software and then executes malicious actions on the now-unprotected computer. Some security software products, including Outpost, incorporate a self-protection feature to monitor and prevent any attempt to tamper with its own files, registry entries, processes, or keystroke commands.
I am proud to say that Outpost came out on top, passing all 38 tests with flying colors. The test results are available here: http://www.firewallleaktester.com/termination.php.
Alexander Kariagin,
PR and Marketing manager, Agnitum ltd
Thursday, October 19, 2006
Combating spam: an intelligent approach to the problem
Spam is email's worst foe. Research indicates that up to 90% of all email arriving in mailboxes is spam. Spammers make a fortune from their trade, but few countries take legal action against the offenders. Some people believe that you can't beat spam, and you should just accept it as an unfortunate fact of life alongside other misfortunes like inflation or famine. We disagree, not least because spam can be dangerous as well as time-wasting if it's not handled correctly.
An October issue of Security Insight brings you up to speed on the dangers of spam and the latest techniques used by spammers, and gives you some practical tips on how to deal with spam intelligently - and without the use of specialized anti-spam software - so that your data and your personal privacy are kept intact.
Read the complete article at: http://www.agnitum.com/r/insight/october/
I am open for your comments!
Igor Pankov,
Security Insight Editor
Microsoft to open Kernel Patch Protection for third-party security vendors?
The game of ping-pong between Microsoft and third-party security software vendors seemed to be over last week when Microsoft announced its plan to share the source code of its Kernel Patch Protection mechanism.
Kernel Patch Protection (KPP), also known as PatchGuard, is a new security measure introduced by Microsoft for the Windows Vista x64 operating system. Its goal is to prevent malware from replacing a part of Microsoft's core code with its own, thus exploiting the operating system. An unfortunate side effect, however, is the limitations this places on third-party vendors of security software – limitations that are confirmed by security researchers from around the world.
As early as July 2006, Agnitum, along with fellow firewall provider Sunbelt, raised concerns about the introduction of Kernel Patch Protection; larger vendors like Symantec and McAfee raised the same questions later. As a result, the European Commission issued a warning to Microsoft that it must not shut out rivals in the security software market. The commission asked security vendors about issues they might have with Vista and has confirmed it will take action if it believes Microsoft is breaking antitrust laws.
Given little other choice, Microsoft evidently decided to take a step back -- at least officially. On Friday October 13th, Microsoft said it would modify KPP to let third-party security vendors bypass it with their software and give end users the ability to choose their preferred security supplier. To do this, Microsoft would create an Application Programming Interface (API) to let third-party developers access the kernel and disable the Windows Security Center in Vista.
This certainly sounded promising -- Microsoft did, after all, decide to make the changes after being pushed into a corner by the European Commission and major third-party security vendors. But with Vista due to ship in a few weeks, we weren’t exactly getting a lot of time to provide users with greater choice in their selection of security tools..
I guess we should also have taken note that Microsoft made this announcement on Friday 13th – not a date known for good news over the course of history. Because what did we learn today? According to TechWeb
“Microsoft won't roll out the APIs for PatchGuard in the first edition of Vista, but will unveil them with the first Service Pack. Typically, Microsoft deploys an initial Service Pack 12 to 18 months after the release of an OS.”
We’ve contacted Microsoft to try to get this sorted out. We hope. From Agnitum's point of view, Microsoft has made a positive decision – but we don’t have the API yet to analyze it. And of course the biggest losers here are going to be the users. Unless Microsoft makes good on its original announcement to make the KPP APIs available this week, the likelihood is that Vista will ship with a “choice” of security solutions from one vendor – Microsoft. A company not exactly widely acclaimed for its attention to computer security.
We’ll let you know when we hear back from Microsoft. Stay tuned!
Mikhail Penkovsky,
Director of Sales and Marketing, Agnitum Ltd.
Kernel Patch Protection (KPP), also known as PatchGuard, is a new security measure introduced by Microsoft for the Windows Vista x64 operating system. Its goal is to prevent malware from replacing a part of Microsoft's core code with its own, thus exploiting the operating system. An unfortunate side effect, however, is the limitations this places on third-party vendors of security software – limitations that are confirmed by security researchers from around the world.
As early as July 2006, Agnitum, along with fellow firewall provider Sunbelt, raised concerns about the introduction of Kernel Patch Protection; larger vendors like Symantec and McAfee raised the same questions later. As a result, the European Commission issued a warning to Microsoft that it must not shut out rivals in the security software market. The commission asked security vendors about issues they might have with Vista and has confirmed it will take action if it believes Microsoft is breaking antitrust laws.
Given little other choice, Microsoft evidently decided to take a step back -- at least officially. On Friday October 13th, Microsoft said it would modify KPP to let third-party security vendors bypass it with their software and give end users the ability to choose their preferred security supplier. To do this, Microsoft would create an Application Programming Interface (API) to let third-party developers access the kernel and disable the Windows Security Center in Vista.
This certainly sounded promising -- Microsoft did, after all, decide to make the changes after being pushed into a corner by the European Commission and major third-party security vendors. But with Vista due to ship in a few weeks, we weren’t exactly getting a lot of time to provide users with greater choice in their selection of security tools..
I guess we should also have taken note that Microsoft made this announcement on Friday 13th – not a date known for good news over the course of history. Because what did we learn today? According to TechWeb
“Microsoft won't roll out the APIs for PatchGuard in the first edition of Vista, but will unveil them with the first Service Pack. Typically, Microsoft deploys an initial Service Pack 12 to 18 months after the release of an OS.”
We’ve contacted Microsoft to try to get this sorted out. We hope. From Agnitum's point of view, Microsoft has made a positive decision – but we don’t have the API yet to analyze it. And of course the biggest losers here are going to be the users. Unless Microsoft makes good on its original announcement to make the KPP APIs available this week, the likelihood is that Vista will ship with a “choice” of security solutions from one vendor – Microsoft. A company not exactly widely acclaimed for its attention to computer security.
We’ll let you know when we hear back from Microsoft. Stay tuned!
Mikhail Penkovsky,
Director of Sales and Marketing, Agnitum Ltd.
Tuesday, October 10, 2006
Why has Microsoft included a firewall with Vista, and where will it lead?
We have to admit that the Vista firewall provides some basic protection. The fact that it is free means that you should not have high expectations of its quality – something we proved beyond a doubt when we gave the Microsoft OneCare Firewall a thorough testing earlier this year (OneCare Firewall test description, press release).
As we see it, there are two reasons for Microsoft to include the firewall in Vista, turned on by default, and given away for free:
1. To provide a degree of basic protection for inexperienced users (good PR).
2. To grab market share from third-party commercial firewall vendors.
What dangers lie in this approach by Microsoft?
We all know that free is tempting. We all remember what happened to Netscape when Microsoft introduced Internet Explorer. But how long does free continue to look good? Yes, IE gained almost 95% market share. Then further development appeared to stop, until that market share began heading in the opposite direction as alternative products appeared (Firefox, Opera, and the return of Netscape). It’s also clear that IE has more security holes than a sieve, as the frequent patch announcements constantly remind us.
Which prompts us to ask a fundamental question: Why are we relying on Microsoft for security, when it clearly has difficulty providing that security in its own products?
Microsoft must invest to keep its products up to users’ expectations – and security requirements. Here’s what we’d advise them to do -- and, who knows? They may even be reading this article.
1. Listen to what third-party security vendors say and make available the information they need to install their own products to boost Windows Vista security. Depending on Microsoft and only Microsoft is not going to protect users.
2. Make the necessary Windows source code available for third-party vendors to undertake comprehensive compatibility tests (in order to verify if the program is compatible with other applications) and integrate with all aspects of Vista to ensure effective, transparent security for Vista users.
Alexander Kariagin,
PR and Marketing manager, Agnitum ltd
As we see it, there are two reasons for Microsoft to include the firewall in Vista, turned on by default, and given away for free:
1. To provide a degree of basic protection for inexperienced users (good PR).
2. To grab market share from third-party commercial firewall vendors.
What dangers lie in this approach by Microsoft?
We all know that free is tempting. We all remember what happened to Netscape when Microsoft introduced Internet Explorer. But how long does free continue to look good? Yes, IE gained almost 95% market share. Then further development appeared to stop, until that market share began heading in the opposite direction as alternative products appeared (Firefox, Opera, and the return of Netscape). It’s also clear that IE has more security holes than a sieve, as the frequent patch announcements constantly remind us.
Which prompts us to ask a fundamental question: Why are we relying on Microsoft for security, when it clearly has difficulty providing that security in its own products?
Microsoft must invest to keep its products up to users’ expectations – and security requirements. Here’s what we’d advise them to do -- and, who knows? They may even be reading this article.
1. Listen to what third-party security vendors say and make available the information they need to install their own products to boost Windows Vista security. Depending on Microsoft and only Microsoft is not going to protect users.
2. Make the necessary Windows source code available for third-party vendors to undertake comprehensive compatibility tests (in order to verify if the program is compatible with other applications) and integrate with all aspects of Vista to ensure effective, transparent security for Vista users.
Alexander Kariagin,
PR and Marketing manager, Agnitum ltd
Monday, October 02, 2006
Malware infections: what to look for and how to get through the crisis
Most home computer users have experienced some form of malware infection at some time. While there are many tools that help to automate the process of detecting, containing, and removing threats, there are also some simple, practical steps users can take that don't involve sophisticated software. With a little knowledge, some free tools, and a modest effort, computer users can relatively easily isolate threats and make sure their PC at least cannot infect other machines.
In this article, we'll talk about “first-aid” methods of detecting and manually removing malicious programs from a PC and preparing the system for a more thorough inspection by antivirus and/or antispyware software.
Read the complete article at: http://www.agnitum.com/r/insight/september/
Igor Pankov
In this article, we'll talk about “first-aid” methods of detecting and manually removing malicious programs from a PC and preparing the system for a more thorough inspection by antivirus and/or antispyware software.
Read the complete article at: http://www.agnitum.com/r/insight/september/
Igor Pankov
Subscribe to:
Posts (Atom)