C
Cymbal Man Freq.
http://news.com.com/Why+Microsoft+is+wrong+on+Vista+security/2010-7349_3-6123924.html
Why Microsoft is wrong on Vista security
McAfee Chief Scientist George Heron says a technological dispute could usher in
a new age of insecurity.
By George Heron
Published: October 9, 2006, 10:00 AM PDT
For decades, and in every Windows operating system prior to Vista, Microsoft has
relied on the contributions of third-party security vendors to help keep the
user safe.
These products protected both consumers and corporate users from the ravages of
malware such as viruses, spyware, trojans, worms and, most recently, rootkits.
These security products from independent software vendors even help keep
people's computers safe from Microsoft's own critical software bugs, which
notably have been on the increase in recent years.
Regrettably, Microsoft's own "buffer overflows" and "Internet Explorer exploits"
have now become commonplace in today's lexicon. But again, the security products
from the likes of McAfee, Symantec, Check Point Software Technologies, et al,
have thankfully been available for people to choose in order to keep their
computing experience safe.
Over the years, the users (i.e. you, me, our families and colleagues) have been
able to select the best security solution for them from among any number of
companies providing mature and innovative security products.
This cooperative and relatively safe computing experience is about to change for
the worse in Vista.
Dropping down to the core of the operating system, we see that Microsoft has
implemented PatchGuard as a means of preventing access to kernel services that
classically have been allowed and available in all previous versions of Windows.
In a nutshell, PatchGuard crashes the computer when it detects that specific
internal data structures have been "hooked," which is a common way that
malicious software starts doing its damage.
However, the good advanced features of behavioral detecting and intrusion
protection software also work this way. So by attempting to lock out the bad
guys, PatchGuard is also blocking advanced security features from working, and
the user is much less secure.
A straightforward example of this serious condition would be to consider the
case of a new mass-mailing worm suddenly appearing in the wild. Typically, known
viruses are caught during the delivery process, when the file containing the
virus is scanned for the characteristic signature of the malicious software. If
the bit pattern defining a known virus matches that in the incoming file, the
file will be quarantined or deleted, according to the policy governing this on
the computer.
A new virus, however, will not yet have a signature characteristic, as it has
not yet been studied by the virus research team, so this zero-day attack will
slip past the traditional antivirus checks in the kernel. Then, when the
infected carrier file runs, and the virus ultimately then gets launched, it is
born on the computer and immediately begins doing its dastardly deeds; in the
case of it being a mass mailer, it ravages the e-mail client's address book and
begins sending out tons of e-mails.
The cool part of the story next happens when the security software engages to
stop the virus dead in its tracks. All modern antivirus software contains--in
addition to the basic signature file scanning mentioned earlier--a technique
termed heuristical behavior detection that is designed to stop a zero-day attack
like the mass-mailer worm being described.
The calls being made by the worm into the kernel are studied by means of the
antivirus hooking the APIs (application program interfaces), and it can be
determined from the specific API calls and order/frequency of the calls that a
worm is active in the system. The antivirus then kills the worm by issuing an
Application Terminate call to the kernel, and the user is once again safe.
Of course, some other details are not depicted in this simple example. But the
main point is that this is the way state-of-the-art antivirus operates today--to
first detect the virus signature and in using behavioral techniques to detect
the new, zero-day presence of new outbreaks. And the killer part of this example
is that PatchGuard will prevent this type of behavior-based zero-day detection
from operating.
The standard technique employed by security vendors for years and years--hooking
the APIs and the ability of killing applications--is specifically being blocked.
Further, Microsoft, which has no similar detection technique, is preventing
security vendor antivirus packages from using these advanced features--even
though Microsoft does not have the ability to do this itself.
The net-net is that the user is demonstrably less safe as compared to during the
XP days, when security vendors could use their advanced behavioral features.
I'm not sure how we can end this story on a positive note. With Microsoft's
design of Windows Security Center and PatchGuard, the restrictions on user
choice of security solution, the stifling of innovation being forced upon the
industry and, most of all, the clear and present danger of dramatically reduced
user safety all comes to a head in Vista.
I suppose one can only hope that Microsoft can come to the realization at some
point soon that the simple Vista alterations suggested by the industry must be
taken seriously and implemented.
Why Microsoft is wrong on Vista security
McAfee Chief Scientist George Heron says a technological dispute could usher in
a new age of insecurity.
By George Heron
Published: October 9, 2006, 10:00 AM PDT
For decades, and in every Windows operating system prior to Vista, Microsoft has
relied on the contributions of third-party security vendors to help keep the
user safe.
These products protected both consumers and corporate users from the ravages of
malware such as viruses, spyware, trojans, worms and, most recently, rootkits.
These security products from independent software vendors even help keep
people's computers safe from Microsoft's own critical software bugs, which
notably have been on the increase in recent years.
Regrettably, Microsoft's own "buffer overflows" and "Internet Explorer exploits"
have now become commonplace in today's lexicon. But again, the security products
from the likes of McAfee, Symantec, Check Point Software Technologies, et al,
have thankfully been available for people to choose in order to keep their
computing experience safe.
Over the years, the users (i.e. you, me, our families and colleagues) have been
able to select the best security solution for them from among any number of
companies providing mature and innovative security products.
This cooperative and relatively safe computing experience is about to change for
the worse in Vista.
Dropping down to the core of the operating system, we see that Microsoft has
implemented PatchGuard as a means of preventing access to kernel services that
classically have been allowed and available in all previous versions of Windows.
In a nutshell, PatchGuard crashes the computer when it detects that specific
internal data structures have been "hooked," which is a common way that
malicious software starts doing its damage.
However, the good advanced features of behavioral detecting and intrusion
protection software also work this way. So by attempting to lock out the bad
guys, PatchGuard is also blocking advanced security features from working, and
the user is much less secure.
A straightforward example of this serious condition would be to consider the
case of a new mass-mailing worm suddenly appearing in the wild. Typically, known
viruses are caught during the delivery process, when the file containing the
virus is scanned for the characteristic signature of the malicious software. If
the bit pattern defining a known virus matches that in the incoming file, the
file will be quarantined or deleted, according to the policy governing this on
the computer.
A new virus, however, will not yet have a signature characteristic, as it has
not yet been studied by the virus research team, so this zero-day attack will
slip past the traditional antivirus checks in the kernel. Then, when the
infected carrier file runs, and the virus ultimately then gets launched, it is
born on the computer and immediately begins doing its dastardly deeds; in the
case of it being a mass mailer, it ravages the e-mail client's address book and
begins sending out tons of e-mails.
The cool part of the story next happens when the security software engages to
stop the virus dead in its tracks. All modern antivirus software contains--in
addition to the basic signature file scanning mentioned earlier--a technique
termed heuristical behavior detection that is designed to stop a zero-day attack
like the mass-mailer worm being described.
The calls being made by the worm into the kernel are studied by means of the
antivirus hooking the APIs (application program interfaces), and it can be
determined from the specific API calls and order/frequency of the calls that a
worm is active in the system. The antivirus then kills the worm by issuing an
Application Terminate call to the kernel, and the user is once again safe.
Of course, some other details are not depicted in this simple example. But the
main point is that this is the way state-of-the-art antivirus operates today--to
first detect the virus signature and in using behavioral techniques to detect
the new, zero-day presence of new outbreaks. And the killer part of this example
is that PatchGuard will prevent this type of behavior-based zero-day detection
from operating.
The standard technique employed by security vendors for years and years--hooking
the APIs and the ability of killing applications--is specifically being blocked.
Further, Microsoft, which has no similar detection technique, is preventing
security vendor antivirus packages from using these advanced features--even
though Microsoft does not have the ability to do this itself.
The net-net is that the user is demonstrably less safe as compared to during the
XP days, when security vendors could use their advanced behavioral features.
I'm not sure how we can end this story on a positive note. With Microsoft's
design of Windows Security Center and PatchGuard, the restrictions on user
choice of security solution, the stifling of innovation being forced upon the
industry and, most of all, the clear and present danger of dramatically reduced
user safety all comes to a head in Vista.
I suppose one can only hope that Microsoft can come to the realization at some
point soon that the simple Vista alterations suggested by the industry must be
taken seriously and implemented.