Security Firm Bypasses Patch Guard

filenavigator writes, "This week the security firm Authentium found a workaround for Patch Guard, the security feature Microsoft has embedded into the 64-bit version of Windows. It is supposed to keep out unsigned drivers, kernel modifications, and security company competitors. With Authentium's workaround it can be turned off, software installed, and turned right back on. Microsoft immediately responded by saying their reckless ways are endangering the security of Windows users and that they will disable this hack quickly."

The Aura of Patchiness!

[Ninjaesque One]

I wonder what the implications will be for security: Oh, yes; Windows is already swiss cheese. . . . Dutch Cheese! Now with 100% more holes!

Reckless?

[Izago909]

What's more reckless... writing software with security holes and making its' selling point the high level of security it contains... or discovering an exploit that defies the marketing team?

Spelling correction.

[Majik Sheff]

You left the 'n' out of "defines".

Re:Spelling correction.

[Hamoohead]

I thought "defiles" was was spelled with an "L"

Re:

[Anonymous Coward]

I know this isn't the answer that the slashdot crowd wan't to here, but designing an exploit is a lot more reckless than designing code that can be exploited.

One's a mistake; the other is deliberate.

Re:

[Izago909]

How about a reputable security firm discovering an exploit and making the details public... or some kid in his basement who keeps it to himself and does who knows what with it?

Re:

[Gregory Cox]

Designing an exploit is not reckless - the only thing that can be reckless is using the exploit you've designed in the wrong way, or giving it to the wrong people.

As a security company, Authentium ought to know how to handle exploits properly. Presumably if they had a trusting relationship with Microsoft, they'd let them know about it quietly. Instead, they announced it publicly, using it as a bargaining chip against Microsoft in case it reneges on its promise to provide adequate APIs for security vendors.

M

Re:

[marafa]

slashdot translator: i know this isn't the answer that the slashdot crowd want to hear, but designing an exploit is a lot more reckless than designing code that can be exploited

Backasswards compatibility

[TubeSteak]

What's more reckless... writing software with security holes

FTFA: The company specifically said that it is using an element of the kernel meant to help the OS support older hardware to bypass the feature. The loophole allows the company's tools to infiltrate Vista's kernel hooking driver, and get out, without the OS knowing the difference.

It would seem to me that backwards compatibility is, once again, a security hole.

No it's not... This isn't about security anyway.

[ivan256]

There is no reason for that to be true. Locking out old drivers doesn't provide security, nor would allowing them have to lessen security. The only reason Microsoft is requiring signed drivers is for DRM.

Reckless

[Anonymous Coward]

Yes, Microsoft's reckless ways *are* destroying the security of Windows users.

Re:

[Opportunist]

You say that as if it was supposed to increase the security of Windows user systems.

It is supposed to increase the security of software and content run on those machines against their users.

Let it be said again.

[Lord Kano]

Necessity is the mother of invention.

If Microsoft hadn't been so assholeish about it, no one would have needed to circumvent their "protections".

LK

Re:

[Instine]

I agree. Although I was looking forward to the end of Norton. Alls not lost yet! Such hacks are always going to emerge. And hackers will exploit them, as will small agile companies. But lumbering behemoths like Symantech should find it hard to use one of these xploits commercially before M$ sort the fix.

Re:Let it be said again.

[daeg]

Norton has been using hacks in win32 from day 1, and I'm sure they'll use them again this time around. I just hope Microsoft closes them as quickly as Norton exploits them -- the same holes that Norton uses will be the same holes that viruses use.

Re:Let it be said again.

[Foolhardy]

This isn't a security hole. The fact that a process with admin privileges (yes, they're required for this) on the system can modify the kernel is something that can't be fixed by any means, on any OS (except via full TCPA). Microsoft knows that. Trying to protect the computer from malware/viruses that already have admin privileges is a joke. This is designed to make it such a pain for 3rd parties to continue modifying the kernel's internals (something that they shouldn't be doing in the first place) that they switch over to the public interfaces designed for the same purpose. Norton's crying that they have to clean up their code. Sophos already switched over.

Re:

[Johnno74]

The problem is where does this leave tools like daemon tools, which require a device driver? They are screwed, unless they use hacks like the article describes. free/open source apps won't be able to afford a cert for their drivers, and MS may not give them one anyway.

Re:

[Foolhardy]

PatchGuard [microsoft.com] is about stopping modifications to the kernel's internal structures, like the syscall table and the kernel's image. It has nothing to do with loading drivers that use only the kernel's public interfaces.

However, Microsoft HAS decided that only kernel-mode drivers signed with a SPC (software publishing certificate) can be loaded [microsoft.com] on x64. Microsoft doesn't charge anything for a SPC directly, but you do need to buy a cert from a commercial CA [microsoft.com] like Verisign. There is also an option [msdn.com] that the user can

Re:

[oddfox]

Uhhh, what? Daemon Tools 4.0.6 runs just fine in both 32-bit and 64-bit Vista. And Jesus Christ, as far as affording certs go I guess the majority of Slashdot has never heard of donating to a project you care about keeping around. $500 for a one-year license? Oh no, whatever shall we do?! Give me a fscking break, am a regular at many sites which operate off donations and pitch in when I can to keep what I like active.

Re:

[oddfox]

And I should have used the preview button to catch that missing 'I'.

Re:

[tb3]

Yah know, I wish people would call it 'Symantic Anti-Virus'. I always feel a bit sad when I see Peter Norton's name being dragged through the mud.

Re:

[innocent_white_lamb]

I always feel a bit sad when I see Peter Norton's name being dragged through the mud.
 
He's the one who chose to sell his name, so I find it difficult to cry too hard for him.

Re:

[Firehed]

SAV and NAV are two entirely separate products, just sold by the same company. Symantec is reasonably well-behaved, as you'd expect from a very expensive product designed for massive enterprise licensing. Norton, on the other hand, is about three notches below full-on shitware. It's his own fault for putting his name behind the crappy consumer version instead of the relatively decent enterprise product.

Re:

[tb3]

I don't think it's his fault. He was out of the software business long before Symantec changed it's focus from development tools and utilities to the more lucrative 'security' market. I don't think Peter Norton had any say in the matter.

Politeness

[Steamhead]

Microsoft immediately responded by saying their reckless ways are endangering the security of Windows users and that they will disable this hack quickly.

Rather nice way to say "Thanks, we will fix this right away" eh?

Re:

[Volante3192]

Plus add another two weeks to the date Vista goes gold.

'obvious' bug.

[SillyNickName4me]

So, the way to achieve this is by changing contents in the pagefile by writing disk sectors directly.

If such an obvious bypass has not been considered, how many other such issues exist that are yet undiscovered?

Then, the supposed 'fix' is to disallow writing raw disk sectors for any non kernel code. This will only work when not allowing for things like disk editors and recovery tools, because those would need ways to bypass this and this just opens up new attack vectors.

MS PhotoEditor will outperform Adobe by 100x

[140Mandak262Jamuna]

OK, let us take the next logical step, all direct disk write by non-kernel mode process will be off. Applications like Pinnacle, Adobe Photo Editor, Maya and Gimp will suffer slow disk write times. MS PhotoEditor also would suffer similarly. Except, MS PhotoEditor coder, some nice chap who is just doing his job gets his ears chewed out and small chairs thrown at him. Goes into the source code tree finds the coder who is controlling the access to the direct diskwrite part in OS side. Bingo, in the next release MS PhotoEditor performs 100x faster than Adobe. Mindless editors of PCMag and others ooh and aaah about the "technological advances" made by innovative MS.

Yeah, sure it is a far fetched conspirational theory. Mods, before you mod it troll or offtopic or wierd or paranoid, take a look at the comments in the code outed by MainSoft. Obsolete version of Windows NT code. But it had numerous comments like, "Private entry point for Jim to get Excel access memory faster". Private entry points, calls that take shortcuts through several application layers and protocols... that is how security holes are made. Such close nexus between application coders and OS coders is the reason why such api-layers are violated.

Re:

[FlyingGuy]

Let us not forget about Teddy Bear!

Re:MS PhotoEditor will outperform Adobe by 100x

[Foolhardy]

What could you possibly be talking about? Direct disk access means bypassing the filesystem and reading and writing to the sectors directly. This requires administrator privileges for good reason: it bypasses file security, file locks and all the other nice things that filesystems do. No user application requires the ability to bypass the filesystem. Don't you need to be root to access a mounted block device on a UNIX? It's the same thing. The fact that it's possible to modify the kernel when you have admin privileges (and physical access for that matter) is hardly suprising, and in fact is unfixable (short of full TCPA).

PatchGuard is only there to discourage apps that hook the syscall table (an inherantly unsafe operation) and make other modifications to the kernel's private, volaitle internal interfaces. When Windows NT was written, the MS devs never expected 3rd party devs to go poking around with the kernel's private interfaces, and are rightly disgusted when those 3rd party software programs cause problems because of it. Compare this to Linux: you are free to maintain your own custom build of the kernel, but in the mainline, all the kernel interfaces are so volaitle, every minor revision is binary incompatible with the rest. You'd never get a device driver accepted into the mainline if it depended on private interfaces that break every revision, even on a source level. Microsoft is well within their prerogative to make changes the Windows kernel's internal, private interfaces. This doesn't work too well when 3rd party apps are dependent on them never changing, especially when Windows crashes because of it. PatchGuard is a technical speed bump to make it harder for 3rd party software companies to screw with the kernel's internals. Microsoft knows that it's an unwinnable arms race [msdn.com], but hope that the 3rd parties will decide it's just easier to stick to the kernel's public interfaces. Microsoft is willing to create new stable public interfaces to support the necessary behavior.

The only thing I can think of that you might be talking about for reduced performance is if you meant no intermediate buffering when you said "direct disk write". The FILE_FLAG_NO_BUFFERING and FILE_FLAG_WRITE_THROUGH [microsoft.com] buffering options are unrelated to direct disk access (which actually means bypassing the filesystem to access the block device directly). Write through and unbuffered IO aren't going anywhere.

As for special hooks that MS applications get into the OS that no one else gets, how about an actual example?

Re:

[140Mandak262Jamuna]

As for special hooks that MS applications get into the OS that no one else gets, how about an actual example?

Well couple of minutes in google fetches this gem

private\mvdm\wow32\wcntl32.c:
// These undocumented messages are used by Excel 5.0

private\mvdm\wow32\wgdi31.c:
// InquireVisRgn is an undocumented Win 3.1 API. This code has been
// suggested by ChuckWh. If this does not fix the s 2.0
// problem, then ChuckWh would be providing us with an private entry
// point.

from this site. [tfproject.org] Since MS is closed sour

Re:

[Foolhardy]

Let's see here:
Excel 5.0 was released in 1993 for Win16 and uses undocumented messages in one of the windows common controls. I was hoping for something a little more substantive, more recent, and involving the kernel.
In the InquireVisRgn comment doesn't mention anywhere that InquireVisRgn or the "private entry point" is used by anything but the OS itself. It's not an issue if the OS is using its own private interfaces.

Notice that in the article, they noted that there were about as many compatibility hack

Goes in the source tree? Why?

[nurb432]

Being a fellow 'blessed' microsoft team member, all he has to do is walk across the hall, and ask that his wonderful application gets the 'fast lane access' to the file system.

You know there will be provisions for THEIR apps to do such a thing since they are 'trusted', but deny others the same direct access 'for your security' .

Re:

[innocent_white_lamb]

So, the way to achieve this is by changing contents in the pagefile by writing disk sectors directly.
 
This problem on Vista isn't newly discovered. It was discussed here [redhat.com] earlier this month, in fact.

Re:

[SillyNickName4me]

Conceptually, such attacks have been known on various platforms for a long time, but seldom considered very relevant because of there being easier attack vectors or practical attacks requiring already having the ability to run your own kernel-mode code. There exist systems that guard against it I'm sure, and there are various ways to guard against it.

It just surprises me that Vista didn't guard against it so far because of it being such a well known concept, and even if you didn't know the concept, it shoul

Remember what "security" means

[Sloppy]

To users, security is about protecting the machine from external threats.

To Microsoft, security is about protecting the machine from everyone, including the owner and admin.

To users, security is about protecting the user's personal data and ability to use the machine.

To Microsoft, security is about protecting someone's data (not necessarily the user's) from everyone (perhaps including the user).

To the computer's owner, the machine is entirely their own domain, and exists for their own benefit to maximize their own interests.

To Microsoft, the machine is partitioned and not all of it belongs to the owner, ultimately to maximize Microsoft's interests.

To the computer's owner, their relationship to Microsoft is that the computer owner is the customer.

To Microsoft, their relationship to the computer's owner, is that the owner is both a customer and a product.

Re:

[kimvette]

Actually. based on what I've seen of Microsoft's actions over the last few years, their view of security is that their monopoly must be protected, regardless of right of first sale, fair use, or any other consumer rights.

Re:

[westlake]

To Microsoft, security is about protecting the machine from everyone, including the owner and admin.
To Microsoft, security is about protecting someone's data (not necessarily the user's) from everyone (perhaps including the user).

the population of the US is 300 million.

at any given moment there must be millions of users running a PC without advanced skills or technical support. no help desk. no system adminstrator. no geek living next door with a clue to what has gone wrong and how to fix it.

in that co

Re:

[Opportunist]

True, to a point. But a machine I buy is still supposed to be mine to do my bidding. That's what it is about.

When a machine's (or its maker's) intentions are above its user's, something is running very wrong. My machine is mine. And I will make it mine.

If that means to break the law, so be it.

Re:

[Tim C]

To users, security is about protecting the machine from external threats.

And right there is half the problem; the most common threat faced by a desktop machine is that of a user with admin privs unwittingly installing a trojan or virus.

Banging head against cement....

[beheaderaswp]

I keep sitting here hoping... in fact praying (an I'm not a religious guy)... that SOMEBODY gets a court to understand how strongly the antitrust laws could be applied to something like this. Simple Points:

1. Microsoft historically cannot secure it's own operating system.

2. Microsoft wants to charge for securing it's operating system.

3. Microsoft makes it difficult for *others* to secure it's operating system.

Yeesh...

1. Ford historically makes cars that explode.

2. Ford wants to charge extra for a car with "

Re:Banging head against cement....

[Angostura]

Well, I hate to be contrarian (actually I don't) but in this case Microsoft is attempting to address you point 1. in a reasonable way, by disallowing unsigned drivers. The fact that the protection can be broken is problematic. The fact that Microsoft is now looking to close the loophole is fine.

Re:

[beheaderaswp]

Um yea... that makes sense in portions of Redmond Washington, in an opium den, and a closed session of congress.

But if you actually use their OS it makes no sense because the fox is guarding the chicken coop.

Re:

[Perseid]

If this route actually does lead to securing Windows, kudos to them. Hats off to them. And it's just too bad for Symantec if it means the OS is more secure. The problem is that I don't see that happening. I disagree with you when you say Microsoft is attempting to address his point 1. It seems to me that Microsoft is attempting to make it LOOK like they are addressing his point 1. The fact that the security monitoring companies are already finding flaws in an OS that's supposed to ship in a month is a very

Re:

[Nasarius]

Microsoft is attempting to address you point 1. in a reasonable way, by disallowing unsigned drivers

That is not "reasonable". In fact, it totally screws many independent software developers. For example, if you have a piece of software with a driver that gets frequently updated, do they really expect you to get every one tested and signed by MS? This is their way of making money and locking out smaller software companies.

I don't see how it helps security, anyway. If something has gotten to the point w

Re:

[drsmithy]

That is not "reasonable". In fact, it totally screws many independent software developers. For example, if you have a piece of software with a driver that gets frequently updated, do they really expect you to get every one tested and signed by MS? This is their way of making money and locking out smaller software companies.

Maybe those small developers should write their code properly so such frequent updates aren't necessary ?

I don't see how it helps security, anyway. If something has gotten to the poi

Re:

[kfg]

Ford makes it difficult for others to make Ford cars not explode.

http://www.fuelsafe.com/mustang.htm [fuelsafe.com]

KFG

Re:

[Joebert]

Get the gun Gertrude, I'm gonna join with old Uncle Ben.

1. Uncle Ben [unclebens.com] historicly produces meals that make me constipated. 2. Uncle Ben wants to charge extra for meals that wont make me constipated. 3. Uncle Ben makes it hard for others to take a shit.

The conclusion:

[A beautiful mind]

Malicious software and black hats will continue to use the pagefile exploit to overwrite what they need and do what they want, while legitimate software writers get locked out completely. Kind of defeats the purpose...or do you think that MS had a different purpose altogether?

RTFA!

[A beautiful mind]

The whole point of the first article was that Microsoft "fixed" the pagefile workaround! I would have thought you're new enough at here to RTFA!

Anyways, good riddance that this company found another way around...

Re:

[A beautiful mind]

D'oh. Thanks for telling me. [wikipedia.org] See, that's what I get for not reading TFA.

Next time I'll be more careful. [wikipedia.org]

Obscurity...

[RyanFenton]

The only realistic hope for security through obscurity is if your product never actually comes in contact with a customer. Doesn't matter what kind of black box you put things in - if it comes in contact with a customer, it should not be considered secret or secure.

If you can package it to put it into a black box, someone's either going to open it, poke at it for a response, or figure out how to replace it. And especially with computers, they'll figure out how to use it in a more general way than you intended.

If you cannot accept that your ideas, no matter how big or well-crafted, are just a part of the greater ocean of ideas, then as long as your ideas can be used, your ideas are going to be swept away against your wishes. Until the nature of humanity is changed, that is the nature of the way we deal with ideas (and thus software/hardware). I personally find much more comfort in that dynamic than pain - there are many more ways to use that dynamic rather than fight against the ocean, so to speak.

Ryan Fenton

Bit of a stretch

[Psykosys]

It is supposed to keep out unsigned drivers, kernel modifications, and security company competitors.

While it could be argued that part of Microsoft's goal with PatchGuard is to keep out "security company competitors", there's no hard evidence, AFAIK, that this was one of Microsoft's design goals in creating it and it's somewhat irresponsible to suggest this. If there were, this would presumably be an easy court case and security companies wouldn't have a hard time at all suing Microsoft for illegal measures to establish a monopoly, etc. Instead, they'll be faced with the uphill task of proving that the "keeping out the competition" aspect is not just a necessary side effect of the rest of the design.

Re:

[A beautiful mind]

If there were, this would presumably be an easy court case and security companies wouldn't have a hard time at all suing Microsoft for illegal measures to establish a monopoly, etc.

You mean like they are taking action against MS in the EU?

Unsigned drivers

[The_Morgan]

Seems like MS wants in on Apples game. Make hardware companies pay to have their drivers offically MS approved. Also keep people from using older, obsolete computers. In order to get that next version of windows you'll need a new rig with all the 'taxes' paid up.

Re:

[Midnight Thunder]

Seems like MS wants in on Apples game. Make hardware companies pay to have their drivers offically MS approved.

Last time I checked anyone could write a driver for Darwin/MacOS X. No need to pay a $500 privilege to do so.

Wait, wait. . .

[Hamoohead]

Isn't the whole reason for these security companies' existance because of Microsoft's "reckless ways"? Although the notion of a black box kernel can (and I'm sure - will be abused by MS by eliminating DRM circumvention - say goodby to virtual CD drivers), isn't this the only true way of making sure that nothing gets past the kernel? Kudos to MS for plugging this hole.

Re:

[marcosdumay]

"isn't this the only true way of making sure that nothing gets past the kernel?"

Funny thing is that it's useless, it won't stop people from copying data or emulating hardware.

At least not until the hardware itself is able to recognize Windows and refuse to run everything else. And even then, it is a hard problem to solve.

Re:

[Zantetsuken]

"At least not until the hardware itself is able to recognize Windows and refuse to run everything else"

wouldn't that be an attempt at monopoly though on the part of the hardware vendor(s) AND/OR Microsoft because you wouldn't be able to use the hardware with Linux or Mac for example if it was cross-platform before the hardware-drm. Thankfully I'm not a lawyer, this crap can get kinda confusing...

Re:

[VGPowerlord]

"At least not until the hardware itself is able to recognize Windows and refuse to run everything else."

Change a few words around and I'd think you were describing Mac OSX on Intel:

"At least not until the OS itself is able to recognize apple hardware and refuse to run on everything else."

Re:

[Vector7]

How is having control over my own computer a security hole? Any malicious software I might download and run from the internet doesn't need magic kernel superpowers to do its harm. Everything I care about - my files, my running applications - is hanging right out there in userland, and this isn't going to change. Even running as the most limited user, if I click that email attachment and run it, it will free to delete all my personal files and mail them off to china, regardless of whether it can load a drive

Re:

[Hamoohead]

I may get a karma hit for this, but. . .

My concern is not whether you have control over your own computer system, but whether an unauthorized person is able to hook the kernel to install a root kit wreaking havoc on my own system. Remember, it was MS's laudable decision to make admin the default mode in XP to begin with rather than following Linux and OSX method of requiring password access for any system level manipulation opening us up to a myriad of web bugs. It is because of this poor judgement tha

Dear Microsoft...

[Volante3192]

The tighter you clench your fist, more bits will slip through your fingers.

Seriously, did they think this wouldn't be broken? This has become a bad joke. Big company uses software to protect their code, rag tag team of coders breaks it, big company throws a hissy fit, we all laugh at and mock the company.

How many more times must this happen before someone at one of these megalithic corporations realizes all they're doing is reinventing the wheel over...and over...and over again?

Nice Anti-Microsoft blurb - good job, editors

[Animaether]

"Patch Guard ... is supposed to keep out ... security company competitors"
Uhm. Yes. According to -some- security company competitors whose entirely livelihood depends on Windows being as insecure as it is? Certainly not according to Microsoft itself.

"Microsoft immediately responded"
really?
Microsoft doesn't respond anywhere in that article. In fact, page 2 (yes, it's one of THOSE articles) specifically reads:
"Microsoft representatives didn't immediately respond to calls seeking comment on Authentium's move."

So where -did- they respond?

"by saying their reckless ..."
and that whole article doesn't contain the word 'reckless' at all. So where did they say this, again?

Mind you, the article itself is in error when on page 2 it states:
"Next Page: Microsoft defends itself."

And when you get to page 3, you get:
- a symantec spokesperson
- an industry watcher, possibly:
- Andrew Jaquith of Yankee Group

But absolutely no Microsoft. So where is Microsoft defending itself?

Don't get me wrong, I think PatchGuard probably has more holes than a slice of Swiss cheese... but the submitter's text needs redacting, and the original article could do with an -actual- statement from Microsoft.

The Microsoft statement is behind the other link

[jesterzog]

Don't get me wrong, I think PatchGuard probably has more holes than a slice of Swiss cheese... but the submitter's text needs redacting, and the original article could do with an -actual- statement from Microsoft.

Perhaps this link was added to the slashdot summary after you posted your comment for all I know, but the slashdot summary that I read had two links, and I found that statement quite clearly after following the first link [intelliadmin.com]. About the 13th paragraph down in that article states, complete with the

Re:

[Animaether]

Indeed, there was but one link (the original article seems to have additional references now as well).

I think I'm still looking for the statement about something being quote reckless unquote, though. Saying that they are unhappy (duh), and that user's might find themselves in a pickle if relying on a product which uses a method that will be rendered defunct soon (or already is, according to that article you linked to), is hardly saying that Authentium was being reckless and endangering Windows security and

Wayback Machine...

[Duncan3]

Page Files... Wow.

I haven't had a machine with one of those in at least 5 years. I also don't have a 5 1/4" floppy drive anymore. Both turn a modern dual-core machine into an Apple ][e class machine.

In all seriousness, why is this even supported in 64bit Vista?

Memory is no longer a constraint in a 64bit system. If you can afford $450+ (widely leaked price) for the non-crippled Vista, you can afford the RAM. And if you're running a server, paging = death, even when using 15k RPM drives.

Re:

[Tacvek]

Are you sure you have no page files? Most operating systems will swap out memory. Windows defaults to having a page file. (At least 32-bit XP does.) (Mine uses a 1536MB-3072MB paging file). Linux has the swap partition.

Sure, 64-bit means a memory cap so high it is very unlikely you will ever reach it, but what is the highest one machine is going to have? 8GB? 16GB? Even with that much memory, a paging file can sometimes increase performance. It may be because of architectural design faults. At one point L

Re:

[Anonymous Coward]

Yeah, you can always switch it off, if you are 100% certain you don't need it. But usually the OS doesn't page for fun, but only when the memory situation demands it. Not to mention, at anything below ~4GB, I would not want to be without a pagefile, simply because of the theoretical danger of some application demanding a lot of RAM, and there suddendly being no way out, and all applications running a-risk of memory allocation denial.
Swap /page certainly isn't as necessary as it used to be, but the way it do

Re:

[Monkelectric]

It is a common misconception that machines only page when they are out of memory. Kernels will page various resources (file handles, etc) even when not out of ram. Also, paging allows the computer to decide what is useful and maximizes available ram by taking advantage of temporal localities in data and code.

Re:

[magetoo]

In all fairness, modern operating systems also cache disk accesses, even what is being paged out, so supposedly most things will still stay in memory, under normal conditions.

In practice, this might not always work perfectly (especially when you're doing a lot of disk I/O); but I suppose it works pretty well most of the time for most people. It does - most of the time - for me at least.

Re:

[fishbowl]

There are good reasons to have virtual memory even when there is sufficient physical memory.
Some applications need a lot of RAM, but not all at once. So if they don't do a lot of page-outs, they are actually put a much less significant load on the overall system than the same applications would if they had to store their entire state in physical RAM.

Re:

[daverabbitz]

HAHAHAHAHAHA, first of all, shame on you, everyone has 5 1/4 inch drives.

Secondly swap is invaluable when running large multiuser application servers.

Yes swap will kill your web server, probably your file server too, but when it comes to user applications where a large proportion of them will be suspended at any one time, I'm not going to put 16G of ram in a server when 8G and 8G of swap is perfectly sufficient. For instance a user leaves a browser open at some page for 4 days, it's not doing anything, but

Re:

[Ruie]

Page Files... Wow.

I haven't had a machine with one of those in at least 5 years. I also don't have a 5 1/4" floppy drive anymore. Both turn a modern dual-core machine into an Apple ][e class machine.

In all seriousness, why is this even supported in 64bit Vista?

Memory is no longer a constraint in a 64bit system. If you can afford $450+ (widely leaked price) for the non-crippled Vista, you can afford the RAM. And if you're running a server, paging = death, even when using 15k RPM drives.

A few notes:

This ranks with WMP crack

[140Mandak262Jamuna]

So MS will fix it on the double. If it has already been shipped they will even issue an out of cycle patch like they did for WMP crack. But any security hole that affects only the users and not MS's stranglehold on the market, they will tackle it by waiting till the OS is end of lifed. They they resolve the bug, "OS no longer supported".

thoughts on patchguard

[Pr0xY]

sure it's not perfect, nothing is, but I find the effort of making patchguard a step in the right direction. Here's the thing, If it were possible to prevent anything but pre-approved code from running in kernel space, there would be basically no need for vendors to hook the kernel in the first place.

Also, a lot of people are really talking it up about how Microsoft sucks and patchguard is just another flawed attempt at security by a company that doesn't know its ass from its elbow (or something to that nature)...but I haven't seen much if any effort by any of the other mainstream OSes to prevent kernel patching at all. It is downright trivial to write a Linux kernel module which hooks all sorts of critical data structures, same with FreeBSD and Solaris.

Is it the argument of the anti-patchguard people that if it can't be done perfectly, lets not even bother?

I guess the major driving point of my being a Microsoft apologist in this case is that, at least from an academic point of view, the kernel is supposed to be the only software which accesses these low level things and abstracts out interfaces for the rest of the software to utilize...the kernel shouldn't be exposing anything like direct disk access, or kernel space memory to user space....ever, under any circumstances. do that and things like rootkits are an awful lot harder to make in the first place.

Some Linux distros are starting to get the point by limiting and sometimes eliminating entirely access to /dev/kmem which is a step in the right direction, but it's still not good enough.

The way I see it, Microsoft may not be perfect, but at least they are trying.

proxy

Seriously

[fwarren]

How long do you think it will be till things are back to business as usual?

1. Virus writers find a new way to exploit weakness in Patch Guard, system gets new virus.
2. Microsoft updates their anti-virus product to fix/remove this virus after the fact and patch Patch Guard to prevent the exploit from working.
3. Lather and repeat. Goto step 1

Re:

[NullProg]

but I haven't seen much if any effort by any of the other mainstream OSes to prevent kernel patching at all. It is downright trivial to write a Linux kernel module which hooks all sorts of critical data structures,

Nope,
I can build my Linux kernel without module support. Your module is not going to get loaded.

Enjoy,

Re:

[karmatic]

So your kernel compiled without modules write-protects /dev/kmem, too?

Granted, using something like GRSecurity, it's certainly doable. It does, however, require some third party help.

Re:

[Eivind Eklund]

Actually, at least FreeBSD let you block kernel modules and all other ways of modifying the kernel (until reboot): Set the sysctl kern.securelevel.

Eivind.

Re:

[asuffield]

Missing the point. This is not and never has been about stopping virus attacks - it won't accomplish that and Microsoft knows it; every Windows kernel is full of exploitable bugs and most viruses exploit them.

This is about stopping the user from modifying the kernel's behaviour, so that Microsoft can lock down your computer and control what you do with it.

the kernel is supposed to be the only software which accesses these low level things and abstracts out interfaces for the rest of the software to utilize

N

Re:

[Pr0xY]

I would beg to differ, it is about stopping virus attacks. First of all, one of the main points of my post's previous argument was that if you could stop malware from modifying the kernel, you would effectively eliminate the need for AV vendors to modify the kernel as well.

Secondly to respond it being about

"This is about stopping the user from modifying the kernel's behaviour, so that Microsoft can lock down your computer and control what you do with it."

Well yea, who says that the user should be able to?

Re:

[roystgnr]

it would have been much better to have a Singularity base system with legacy support via WoW emulator.

That might fix a few Windows kernel bugs, but imagine the hordes of new bug reports you'd see instead:

"I want to start Excel, but it's in the Arathi Highlands and I keep getting PKed by a level 60!"

Biased story submission,

[Rip!ey]

The slashdot summary says "Microsoft immediately responded by saying their reckless ways are endangering the security of Windows users and that they will disable this hack quickly."

But the article reads differently. "Microsoft representatives didn't immediately respond to calls seeking comment on Authentium's move. O'Donnell said that Authentium has informed Microsoft of its work, and that the software company asked it to abandon the tactic and wait for its new APIs ..."

Re:

[civilizedINTENSITY]

There were two links. You missed it.

Patch Guard according to Sophos

[Bloater]

According to Sophos [sophos.com], "PatchGuard is a positive step".

This posting itself only provides a direct link to a Sophos article, and does not indicate any opinion on the subject, either of mine or of my employer (whomsoever that may be - which I'm not telling you).

Re:

[Bloater]

Is "linking verb" a new linguistic term? I don't recall it during my linguistics training, perhaps you mean that "be" (in this case) is the copula. As a native English speaker, it's difficult to figure out whether it's the copula since we don't have the two separate forms of many other languages (such as Irish). Since the morpheme that converts "who" to "whom" need not agree with a feature of the verb but is based on the noun's case, the copulative nature (or not) of the verb here is not terribly important.

Unsigned drivers necessary for now

[lemaymd]

I'm not sure what effect PatchGuard and its related technologies will actually have on security, but they certainly do cause certain hardware configurations to become unusable and confiscate a great deal of power in Microsoft's hands. I wanted to experiment with an M-Audio Delta 1010LT pro audio card on Vista 64-bit, but M-audio hasn't released any signed drivers for that particular card and has stated that they will not do so until Vista is officially shipped. Theoretically, it shouldn't have been possib

Re:

[octopus72]

However you can be certain that protected video path and other DRM-protective kernel stuff will be immediately shut down if patchguard is bypassed (and apps will refuse to play content). In case of secret/unpatched workarounds, apps relying on DRM for copy protection can be fooled and content ripped, which is Microsoft's biggest concern.

Best. Grammar error. Ever.

[mattwarden]

This is why God invented ambiguous references:

Microsoft immediately responded by saying their reckless ways are endangering the security of Windows users

Finally, admission of guilt.

Yeah, right. Reckless.

[Weaselmancer]

Same way it would have been reckless to point out the iceberg to the captain of the Titanic.

Security against the user will not work

[Opportunist]

Two things. First of all, there are other exploits that allow the installation of unsigned drivers. As far as I know (but I'm not the expert in that field), they have not been fixed so far. They have also not been published so far.

It's sensible to assume that they will be used instead.

The battle for system security is up, and this time it's not MS and its users against the malware writers. It is MS against its users, and users against malware authors. Yes, I did not forget about the tangent of MS against ma

Re:

[linuxrocks123]

I think you'd have a hard time convincing a court that running a general-purpose PatchGuard disabling mechanism violates the DMCA, which is the only law I can think of that might apply to this. Since the rest of your post depends on the assumption that "cracking" a machine you own is illegal, I don't think your predictions are valid.

New Canonical Oxymoron: Microsoft Security Feature

[FractalZone]

"This week the security firm Authentium found a workaround for Patch Guard, the security feature Microsoft has embedded into the 64-bit version of Windows."

Anything that highlights one of the many flaws in a typical Microsoft (In)security feature should not be considered an a mere exploit or even a workaround, but rather a tremendous public service! When said public service enables the installation of real security features (as opposed to the buggy bloatware which Microsoft Hype(tm) labels a "security f

not X64 just Vista

[Archfeld]

I've been running windows xp pro X64 for some time without any of these issues. This is a 'Bonus Item' M$ has included/inflicted on Vista...

But but but

[Cally]

... I posted this before this story ran! [slashdot.org]

Right, I'm sulking now ;p

Sorry what was that?

[tuxisthefuture]

Microsoft immediately responded by saying THEIR reckless ways are endangering the security of Windows users by not disabling the hack before release?

Re:

[civilizedINTENSITY]

lol...that wasn't a summary, that was a quote from the article! How can quoting the article be a "biased summary"?

Re:

[VGPowerlord]

Did you visit both articles? If so, you would have noticed that the IntelliAdmin.com article sources an eWeek article [eweek.com] written by Matt Hines. eWeek's Matt Hines, in case you missed it [eweek.com], said "Microsoft representatives didn't immediately respond to calls seeking comment on Authentium's move." in the earlier of their two [eweek.com] articles [eweek.com].

So, yes, involving a second website in order to get an anti-Microsoft quote is indeed a biased summary.

Re:

[civilizedINTENSITY]

This is interesting and all, but not what was posted, that I responded to. The title, "Biased summary", and the text, "It is supposed to keep out unsigned drivers, kernel modifications, and security company competitors." Which is in the summary, but is a quote from the article. Hence, the quote was not indicating a biased summary, but rather the quote was indicitave of the rest of the article.

This was followed by the sig, "The sun is hot! Water is wet! Slashdot summary is biased! News at eleven."

I