Security Firm Bypasses Patch Guard

filenavigator writes, "This week the security firm Authentium found a workaround for Patch Guard, the security feature Microsoft has embedded into the 64-bit version of Windows. It is supposed to keep out unsigned drivers, kernel modifications, and security company competitors. With Authentium's workaround it can be turned off, software installed, and turned right back on. Microsoft immediately responded by saying their reckless ways are endangering the security of Windows users and that they will disable this hack quickly."

Reckless?

[Izago909]

What's more reckless... writing software with security holes and making its' selling point the high level of security it contains... or discovering an exploit that defies the marketing team?

Reckless

[Anonymous Coward]

Yes, Microsoft's reckless ways *are* destroying the security of Windows users.

Let it be said again.

[Lord Kano]

Necessity is the mother of invention.

If Microsoft hadn't been so assholeish about it, no one would have needed to circumvent their "protections".

LK

Remember what "security" means

[Sloppy]

To users, security is about protecting the machine from external threats.

To Microsoft, security is about protecting the machine from everyone, including the owner and admin.

To users, security is about protecting the user's personal data and ability to use the machine.

To Microsoft, security is about protecting someone's data (not necessarily the user's) from everyone (perhaps including the user).

To the computer's owner, the machine is entirely their own domain, and exists for their own benefit to maximize their own interests.

To Microsoft, the machine is partitioned and not all of it belongs to the owner, ultimately to maximize Microsoft's interests.

To the computer's owner, their relationship to Microsoft is that the computer owner is the customer.

To Microsoft, their relationship to the computer's owner, is that the owner is both a customer and a product.

The conclusion:

[A beautiful mind]

Malicious software and black hats will continue to use the pagefile exploit to overwrite what they need and do what they want, while legitimate software writers get locked out completely. Kind of defeats the purpose...or do you think that MS had a different purpose altogether?

Re:Banging head against cement....

[Angostura]

Well, I hate to be contrarian (actually I don't) but in this case Microsoft is attempting to address you point 1. in a reasonable way, by disallowing unsigned drivers. The fact that the protection can be broken is problematic. The fact that Microsoft is now looking to close the loophole is fine.

Wait, wait. . .

[Hamoohead]

Isn't the whole reason for these security companies' existance because of Microsoft's "reckless ways"? Although the notion of a black box kernel can (and I'm sure - will be abused by MS by eliminating DRM circumvention - say goodby to virtual CD drivers), isn't this the only true way of making sure that nothing gets past the kernel? Kudos to MS for plugging this hole.

Backasswards compatibility

[TubeSteak]

What's more reckless... writing software with security holes

FTFA: The company specifically said that it is using an element of the kernel meant to help the OS support older hardware to bypass the feature. The loophole allows the company's tools to infiltrate Vista's kernel hooking driver, and get out, without the OS knowing the difference.

It would seem to me that backwards compatibility is, once again, a security hole.

MS PhotoEditor will outperform Adobe by 100x

[140Mandak262Jamuna]

OK, let us take the next logical step, all direct disk write by non-kernel mode process will be off. Applications like Pinnacle, Adobe Photo Editor, Maya and Gimp will suffer slow disk write times. MS PhotoEditor also would suffer similarly. Except, MS PhotoEditor coder, some nice chap who is just doing his job gets his ears chewed out and small chairs thrown at him. Goes into the source code tree finds the coder who is controlling the access to the direct diskwrite part in OS side. Bingo, in the next release MS PhotoEditor performs 100x faster than Adobe. Mindless editors of PCMag and others ooh and aaah about the "technological advances" made by innovative MS.

Yeah, sure it is a far fetched conspirational theory. Mods, before you mod it troll or offtopic or wierd or paranoid, take a look at the comments in the code outed by MainSoft. Obsolete version of Windows NT code. But it had numerous comments like, "Private entry point for Jim to get Excel access memory faster". Private entry points, calls that take shortcuts through several application layers and protocols... that is how security holes are made. Such close nexus between application coders and OS coders is the reason why such api-layers are violated.

Wayback Machine...

[Duncan3]

Page Files... Wow.

I haven't had a machine with one of those in at least 5 years. I also don't have a 5 1/4" floppy drive anymore. Both turn a modern dual-core machine into an Apple ][e class machine.

In all seriousness, why is this even supported in 64bit Vista?

Memory is no longer a constraint in a 64bit system. If you can afford $450+ (widely leaked price) for the non-crippled Vista, you can afford the RAM. And if you're running a server, paging = death, even when using 15k RPM drives.

Re:Let it be said again.

[daeg]

Norton has been using hacks in win32 from day 1, and I'm sure they'll use them again this time around. I just hope Microsoft closes them as quickly as Norton exploits them -- the same holes that Norton uses will be the same holes that viruses use.

Re:Reckless?

[Gregory Cox]

Designing an exploit is not reckless - the only thing that can be reckless is using the exploit you've designed in the wrong way, or giving it to the wrong people.

As a security company, Authentium ought to know how to handle exploits properly. Presumably if they had a trusting relationship with Microsoft, they'd let them know about it quietly. Instead, they announced it publicly, using it as a bargaining chip against Microsoft in case it reneges on its promise to provide adequate APIs for security vendors.

Microsoft, on the other hand, didn't say "thanks for letting us know, so we can patch it - just make sure you disclose the information in the proper way". Instead they're quoted as asking Authentium to "abandon the tactic" - clearly they view the very existence of the exploit as an embarrassment, even as a threat, and don't expect Authentium to play friendly and just hand over the details.

Ideally, the two companies should be working together against malicious software writers to secure users' computers. Seen from that point of view, isn't the whole situation a little weird?

thoughts on patchguard

[Pr0xY]

sure it's not perfect, nothing is, but I find the effort of making patchguard a step in the right direction. Here's the thing, If it were possible to prevent anything but pre-approved code from running in kernel space, there would be basically no need for vendors to hook the kernel in the first place.

Also, a lot of people are really talking it up about how Microsoft sucks and patchguard is just another flawed attempt at security by a company that doesn't know its ass from its elbow (or something to that nature)...but I haven't seen much if any effort by any of the other mainstream OSes to prevent kernel patching at all. It is downright trivial to write a Linux kernel module which hooks all sorts of critical data structures, same with FreeBSD and Solaris.

Is it the argument of the anti-patchguard people that if it can't be done perfectly, lets not even bother?

I guess the major driving point of my being a Microsoft apologist in this case is that, at least from an academic point of view, the kernel is supposed to be the only software which accesses these low level things and abstracts out interfaces for the rest of the software to utilize...the kernel shouldn't be exposing anything like direct disk access, or kernel space memory to user space....ever, under any circumstances. do that and things like rootkits are an awful lot harder to make in the first place.

Some Linux distros are starting to get the point by limiting and sometimes eliminating entirely access to /dev/kmem which is a step in the right direction, but it's still not good enough.

The way I see it, Microsoft may not be perfect, but at least they are trying.

proxy

Re:Wayback Machine...

[Anonymous Coward]

Yeah, you can always switch it off, if you are 100% certain you don't need it. But usually the OS doesn't page for fun, but only when the memory situation demands it. Not to mention, at anything below ~4GB, I would not want to be without a pagefile, simply because of the theoretical danger of some application demanding a lot of RAM, and there suddendly being no way out, and all applications running a-risk of memory allocation denial.
Swap /page certainly isn't as necessary as it used to be, but the way it does what it does is much safer than no swap/page at all.
If you have memory in abundance, put a first priority swap onto a RAM disk and a small secondary one on a hdd. This gives the advantages of a fast swap, at the cost of real RAM, with the advantage of the OS managing it like swap, and enough memory for your usual needs.

Re:Wayback Machine...

[Monkelectric]

It is a common misconception that machines only page when they are out of memory. Kernels will page various resources (file handles, etc) even when not out of ram. Also, paging allows the computer to decide what is useful and maximizes available ram by taking advantage of temporal localities in data and code.

Re:Let it be said again.

[Foolhardy]

This isn't a security hole. The fact that a process with admin privileges (yes, they're required for this) on the system can modify the kernel is something that can't be fixed by any means, on any OS (except via full TCPA). Microsoft knows that. Trying to protect the computer from malware/viruses that already have admin privileges is a joke. This is designed to make it such a pain for 3rd parties to continue modifying the kernel's internals (something that they shouldn't be doing in the first place) that they switch over to the public interfaces designed for the same purpose. Norton's crying that they have to clean up their code. Sophos already switched over.

Re:Let it be said again.

[Johnno74]

The problem is where does this leave tools like daemon tools, which require a device driver? They are screwed, unless they use hacks like the article describes. free/open source apps won't be able to afford a cert for their drivers, and MS may not give them one anyway.