Security Firm Bypasses Patch Guard

filenavigator writes, "This week the security firm Authentium found a workaround for Patch Guard, the security feature Microsoft has embedded into the 64-bit version of Windows. It is supposed to keep out unsigned drivers, kernel modifications, and security company competitors. With Authentium's workaround it can be turned off, software installed, and turned right back on. Microsoft immediately responded by saying their reckless ways are endangering the security of Windows users and that they will disable this hack quickly."

Nice Anti-Microsoft blurb - good job, editors

[Animaether]

"Patch Guard ... is supposed to keep out ... security company competitors"
Uhm. Yes. According to -some- security company competitors whose entirely livelihood depends on Windows being as insecure as it is? Certainly not according to Microsoft itself.

"Microsoft immediately responded"
really?
Microsoft doesn't respond anywhere in that article. In fact, page 2 (yes, it's one of THOSE articles) specifically reads:
"Microsoft representatives didn't immediately respond to calls seeking comment on Authentium's move."

So where -did- they respond?

"by saying their reckless ..."
and that whole article doesn't contain the word 'reckless' at all. So where did they say this, again?

Mind you, the article itself is in error when on page 2 it states:
"Next Page: Microsoft defends itself."

And when you get to page 3, you get:
- a symantec spokesperson
- an industry watcher, possibly:
- Andrew Jaquith of Yankee Group

But absolutely no Microsoft. So where is Microsoft defending itself?

Don't get me wrong, I think PatchGuard probably has more holes than a slice of Swiss cheese... but the submitter's text needs redacting, and the original article could do with an -actual- statement from Microsoft.

Re:Reckless?

[Izago909]

How about a reputable security firm discovering an exploit and making the details public... or some kid in his basement who keeps it to himself and does who knows what with it?

Re:Wayback Machine...

[Tacvek]

Are you sure you have no page files? Most operating systems will swap out memory. Windows defaults to having a page file. (At least 32-bit XP does.) (Mine uses a 1536MB-3072MB paging file). Linux has the swap partition.

Sure, 64-bit means a memory cap so high it is very unlikely you will ever reach it, but what is the highest one machine is going to have? 8GB? 16GB? Even with that much memory, a paging file can sometimes increase performance. It may be because of architectural design faults. At one point Linux would run faster with a Swap-FS on a ramdisk than with no swap at all. (I'm completely unaware of when or if that has changed.)

Biased story submission,

[Rip!ey]

The slashdot summary says "Microsoft immediately responded by saying their reckless ways are endangering the security of Windows users and that they will disable this hack quickly."

But the article reads differently. "Microsoft representatives didn't immediately respond to calls seeking comment on Authentium's move. O'Donnell said that Authentium has informed Microsoft of its work, and that the software company asked it to abandon the tactic and wait for its new APIs ..."

Unsigned drivers necessary for now

[lemaymd]

I'm not sure what effect PatchGuard and its related technologies will actually have on security, but they certainly do cause certain hardware configurations to become unusable and confiscate a great deal of power in Microsoft's hands. I wanted to experiment with an M-Audio Delta 1010LT pro audio card on Vista 64-bit, but M-audio hasn't released any signed drivers for that particular card and has stated that they will not do so until Vista is officially shipped. Theoretically, it shouldn't have been possible for me to install the 64-bit XP drivers in their place, and it actually wasn't without some hacks. However, the necessary hacks are laid out in great detail in a public MSDN document and actually automated by some scripts in the latest Windows DDK: http://www.microsoft.com/whdc/system/platform/64bi t/kmsigning.mspx [microsoft.com] I just followed MS' tutorial on disabling driver signature enforcement and had the XP 64-bit drivers installed in about an hour, after self-signing them using automated tools. So, I'm skeptical of the strength of these new security measures. By the way, the XP drivers didn't work after all. :-)

Re:thoughts on patchguard

[NullProg]

but I haven't seen much if any effort by any of the other mainstream OSes to prevent kernel patching at all. It is downright trivial to write a Linux kernel module which hooks all sorts of critical data structures,

Nope,
I can build my Linux kernel without module support. Your module is not going to get loaded.

Enjoy,

Re:MS PhotoEditor will outperform Adobe by 100x

[Foolhardy]

What could you possibly be talking about? Direct disk access means bypassing the filesystem and reading and writing to the sectors directly. This requires administrator privileges for good reason: it bypasses file security, file locks and all the other nice things that filesystems do. No user application requires the ability to bypass the filesystem. Don't you need to be root to access a mounted block device on a UNIX? It's the same thing. The fact that it's possible to modify the kernel when you have admin privileges (and physical access for that matter) is hardly suprising, and in fact is unfixable (short of full TCPA).

PatchGuard is only there to discourage apps that hook the syscall table (an inherantly unsafe operation) and make other modifications to the kernel's private, volaitle internal interfaces. When Windows NT was written, the MS devs never expected 3rd party devs to go poking around with the kernel's private interfaces, and are rightly disgusted when those 3rd party software programs cause problems because of it. Compare this to Linux: you are free to maintain your own custom build of the kernel, but in the mainline, all the kernel interfaces are so volaitle, every minor revision is binary incompatible with the rest. You'd never get a device driver accepted into the mainline if it depended on private interfaces that break every revision, even on a source level. Microsoft is well within their prerogative to make changes the Windows kernel's internal, private interfaces. This doesn't work too well when 3rd party apps are dependent on them never changing, especially when Windows crashes because of it. PatchGuard is a technical speed bump to make it harder for 3rd party software companies to screw with the kernel's internals. Microsoft knows that it's an unwinnable arms race [msdn.com], but hope that the 3rd parties will decide it's just easier to stick to the kernel's public interfaces. Microsoft is willing to create new stable public interfaces to support the necessary behavior.

The only thing I can think of that you might be talking about for reduced performance is if you meant no intermediate buffering when you said "direct disk write". The FILE_FLAG_NO_BUFFERING and FILE_FLAG_WRITE_THROUGH [microsoft.com] buffering options are unrelated to direct disk access (which actually means bypassing the filesystem to access the block device directly). Write through and unbuffered IO aren't going anywhere.

As for special hooks that MS applications get into the OS that no one else gets, how about an actual example?

Re:thoughts on patchguard

[Eivind Eklund]

Actually, at least FreeBSD let you block kernel modules and all other ways of modifying the kernel (until reboot): Set the sysctl kern.securelevel.

Eivind.

The Microsoft statement is behind the other link

[jesterzog]

Don't get me wrong, I think PatchGuard probably has more holes than a slice of Swiss cheese... but the submitter's text needs redacting, and the original article could do with an -actual- statement from Microsoft.

Perhaps this link was added to the slashdot summary after you posted your comment for all I know, but the slashdot summary that I read had two links, and I found that statement quite clearly after following the first link [intelliadmin.com]. About the 13th paragraph down in that article states, complete with the additional link that I've included here:

Microsoft immediately responded with a angry attack [eweek.com] stating that that the hack harmed windows users by reducing the security of Windows.

So no points for grammar in that sentance (which I copied verbatim), but it seems to explain quite clearly what the Microsoft criticism is. That second linked article begins with the paragraph:

Microsoft officials say they are unhappy that security software maker Authentium has decided to bypass the controversial PatchGuard kernel protection feature in its next-generation Vista operating system, and said that the tactic could lead to eventual problems for users of the company's software.

...and goes on for quite a while. Is this the statement you meant?