Symantec Corp. and McAfee Inc. say that a Microsoft Corp. technology called Patch Guard — which blocks access to the 64-bit Vista kernel — will make it harder for third-party security vendors to deliver certain features in their products. In a full-page advertisement in London’s Financial Times, McAfee charged that Microsoft’s decision to “shut-off access” to the kernel amounts to anticompetitive behavior. The two security vendors also accuse Microsoft of other tactics designed to make life harder for independent security vendors at a time when the software giant is expanding its own presence in the security field. In an interview with Computerworld, Stephen Toulouse, senior product manager with Microsoft’s security technology unit, explained his company’s position.
Excerpts from the interview follow:
Why did Microsoft decide to restrict access to the 64-bit Windows kernel?
The biggest concern has been rootkits that can hide themselves from detection software and antivirus software. When you have a situation where code that is not part of the operating system can run at the same level as the kernel, that is not good because the kernel can’t necessarily figure out what is good and what is bad.
In the 32-bit version of the [operating system] there has always been these undocumented and unsupported ways of modifying the kernel while it is running. That introduced stability problems, performance problems and security problems because attackers can use them, as well. These unsupported, undocumented ways of modifying the kernel have never been used by Microsoft and their use by other vendors is frowned on. We don’t believe that it is good for the user experience to modify the kernel while it is running. When changes are made to it in unsupported fashion, you introduce instability.
So, what we felt the right thing to do for the 64-bit platform was to prevent the use of these unsupported functions and instead try to implement safer documented ways of implementing the same functionality.
What does Patch Guard do for Windows?
I think it is important first off from our perspective to note that one of the things that customers have been very clear about with Windows and all of our products is that we’ve got to fundamentally raise the security of those products. That has been very clear feedback from our customers. One of the ways we are doing that on our 64-bit platform is this implementation that is known as kernel patch protection or Patch Guard. It is actually not new. We have been shipping operating systems with kernel patch protection for a couple of years now. The feature is also in Windows XP 64 and Windows Server 2003, 64-bit.
The goal around Patch Guard is to help make a more stable, reliable and secure experience for the customer. It prevents the unsupported and undocumented modification of the kernel. If it detects [that the kernel] has been modified or something is attempting to modify it, Patch Guard will automatically shut the system down to prevent an attack.
Does Patch Guard prevent third parties from offering specific features in security applications?
There are supported ways to run code in kernel mode and things of that nature. One of the things we have been asking software vendors is, “To the extent you are using this functionality, what are you using it for and how can we help you implement that in a safe way?”
Some security vendors were offering what is known as deep-packet inspection of network traffic. That is a very valuable feature that is certainly something customers want and need and that is being provided today by third parties. So we implemented something known as the Windows Filtering Platform so that [independent software vendors] could talk to the protocol in the network interface directly. Other companies were modifying the kernel in place to look at everything that goes in and out of the file system, so we also implemented something called File System Filters to allow them to do that. So really all Patch Guard does is prevent use of these unsupported and undocumented interfaces. We are committed to working with the software vendors to implement their functionality in a safe way.
Symantec and McAfee also say that Windows Security Center, as implemented in Vista, will result in user confusion because there is no way to disable the dashboard — even when the user installs a third-party security dashboard.
First of all, Windows Security Center is not a product. It does not provide any protection. All it is meant to do is to provide a vendor-agnostic view of security in the operating system across different baseline categories. The first one is antivirus; there is anti-spyware, firewall and then there is Automatic Updates. The goal here is to kind of have it be like Device Manager.
If you look at Device Manager in the operating system that’s a place where — no matter who makes the hardware, whether it is a Microsoft mouse or a Logitech mouse — your Device Manager tells you the status and you can update that as you need. We wanted to provide that for security because customers let us know that they were really looking for one place to know their correct status. The goal of Windows Security Center is simply a notification service that third parties can plug into. If they wish to provide their own security center that has more categories and much more functionality, we think that is great. But we believe the baseline of the operating system should still have that notification for the user across those fundamental categories. The reason we are concerned about allowing the automatic and silent disabling of the service is that you really can’t guarantee that it will be enabled on uninstall and that will leave the user vulnerable. If the user does not want to see our security center it is very easy to disable it.
How would you respond to the complaints of Symantec and McAfee?
These guys are our partners. Windows Vista is not going to be a silver bullet that by itself is going to solve all security problems. We believe that we have done a significant amount of work to increase the baseline security of the operating system like customers asked us to but also to help maintain choice. We have provided those vendors with unprecedented access to the development of the operating system. They have had office space on campus, lab space, direct contact with our developers — just, really, an unprecedented level of support. What we are trying to say is, “Look, customers have provided us with this feedback that we’ve really got to fundamentally increase the security of the operating system. To do that, we have got to make some hard choices, and when we make those hard choices, we are going to lean toward protecting the customers. Unfortunately, there are some vendors out there who want the operating system to be insecure. They really want things to stay the way they are.