Microsoft Caves on Vista Security

By Larry Seltzer  |  Posted 2006-10-16 Email Print this article Print
 
 
 
 
 
 
 

WEBINAR: Event Date: Tues, December 5, 2017 at 1:00 p.m. ET/10:00 a.m. PT

How Real-World Numbers Make the Case for SSDs in the Data Center REGISTER >

Opinion: Will the security companies making trouble for Microsoft be appeased by the changes the company has agreed to make? They should be, but that's no guarantee.

Security is security, but business is business I guess.

It wasn't worth it to Microsoft to stick to its positions on PatchGuard and the Windows Security Center. The details aren't in yet, but based on Microsoft's vague initial statements it appears that the company has essentially acceded to Symantec's position on PatchGuard and is trying to finesse matters on the Security Center.

The security companies that raised the initial stink are understandably waiting for details, but it probably makes sense for Microsoft to try to make most of them happy enough to shut up and let it ship Vista without raising a further stink.

A computer security expert speaking at the Virus Bulletin conference predicts that hackers will crack the controversial kernel anti-tampering technology within a year of the final release of Windows Vista. Click here to read more.

Symantec's position on PatchGuard has been to create a set of APIs through which certified vendors could install code that bypassed PatchGuard through defined mechanisms.

In a recent blog Symantec put it this way:

  • Symantec has provided Microsoft with recommend APIs that will allow legitimate, authorized and certified security vendors to leverage the same capabilities that we have in prior versions of Windows.
  • Symantec has been asking for these capabilities for well over one year now and therefore these concerns are not a new development to Microsoft.
  • Symantec has repeatedly suggested that Microsoft establish a new certification model that will certify legitimate vendors who seek to extend the Windows Vista kernel. This certification, on top of existing driver certification steps, will ensure that certified vendors are not attempting to bypass Windows DRM and that certified vendors are not malicious and are making genuine enhancements to Windows Vista.
Microsoft security personnel have told me about this proposal in the past and said it makes them nervous, and I can see why. Consider it an increase in the attack surface of 64-bit Windows relative to the current design of PatchGuard.

But still, it does fit with Microsoft's style of doing things, and if the certification program is run fairly and carefully it's not likely introduce malware directly.

I'm more worried about vulnerabilities in the security programs themselves opening up the Windows kernel to attack, but this is probably not a major problem for two reasons: 1) the set of Windows Vista systems is a large target, the set of Vista systems running any particular vulnerable version of a security product much less so; and 2) as Symantec notes, it's possible for third parties, after signing their code properly, to install boot-time kernel drivers. This code could also expose the kernel, but banning third-party code is hardly the answer.

The problem security vendors had with the Vista Security Center was that they can't completely replace it, as they could with Windows XP. When you install a third-party product on XP it will likely shut down the XP Security Center and replace it with the third party's tray/control panel program.

Next page: Microsoft tries to settle objections about its Security and Welcome Centers.

The Security Center in Vista is meant to be a permanent, standard user interface through which users can interact with security software. APIs are provided for basic functions like updating, checking to see if the product is up-to-date and performing a scan. And the Security Center issues alerts to the user, as when the product is out of date, for instance.

Microsoft has agreed to change Security Center so that if a third-party product is installed and issuing an alert, Security Center will not issue that alert. So the company is agreeing to solve the competing alerts issue, but it won't take the Vista Security Center down in the presence of third-party products.

Symantec had also complained about Vista's "Welcome Center," an initial screen the user sees as part of the "out-of-box experience." This screen, in betas and release candidates, has an ad for Microsoft's security software.

Even though Microsoft says the EU didn't bring it up, the company agreed to put in a nearby link to security product information from other vendors.

A similar link exists in the Security Center: If, for instance, you don't have anti-virus software installed, you get taken to a page on microsoft.com that has information on available products. Currently only Trend Micro shows up for Vista, but for Windows XP numerous third parties are listed and free trial versions provided.

More importantly, the configuration of the Welcome Center is under the control of OEMs, from whom almost all users get their copies of Windows. They can remove the references to Microsoft's products and make exclusive deals to promote other companies' products. Anyone who buys (or, more likely, steals) their own Windows copy in order to install it on a home PC is savvy enough to know that it's possible to buy security software from third parties.

After heading up Microsoft's newly formed security technology unit for seven months, Ben Fathi is moving over to manage a Windows Core System development team. Click here to read more.

Will this appease the third-party add-on market? First, it's impossible to say for sure before Microsoft releases details, which could take some time. I suspect vendors will be OK with the PatchGuard solution, assuming it's what it appears to be. There's no valid reason for them to object to the Welcome Center solution.

The Security Center I can see being a problem, even though Microsoft's solution addresses the most important problem. They might say that the existence of two security control panels would be confusing to the user, but Microsoft can't guarantee that a third party will provide minimal security UI functionality, and a third party can't guarantee that if its product is uninstalled it will put the Windows Security Center back. Microsoft has to guarantee that the user will have access to a standard UI for these functions.

In the meantime it would seem that the company wants to do what it has to do to get impediments out of Vista's way. Don't be surprised if it makes even more changes.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. He can be reached at larryseltzer@ziffdavis.com.

Check out eWEEK.com's for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.

 
 
 
 
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.
 
 
 
 
 
























 
 
 
 
 
 

Submit a Comment

Loading Comments...
























 
 
 
 
 
 
 
 
 
Thanks for your registration, follow us on our social networks to keep up-to-date