Main Area and Open Discussion > General Software Discussion

The Vista "kernel access" controversy - what does DC think?

(1/5) > >>

JavaJones:
Here's the latest in the month-long controversy surrounding Microsoft's unwillingness to allow 3rd parties (such as antivirus providers) to access the Vista kernel:

McAfee said Wednesday that Microsoft has failed to keep its promises, and has not delivered the necessary code and instructions to access the core of the Windows Vista operating system. Microsoft promised the European Commission it would do so last week.

The company is the second in as many days to claim Microsoft is not providing the APIs needed by its security partners. On Tuesday, Sunbelt Software called the company's announcement about sharing APIs was a "red herring" to fool the press.
--- End quote ---

http://www.betanews.com/article/McAfee_MS_Failing_to_Provide_Code/1161180764

Now the first time I read about this a few weeks ago my first thought was the same as Microsoft's position - if A/V providers can't access the kernel due to protections, shouldn't that protection be kept in place to prevent issues, not opened up potentially causing them? Sure you could argue there are bound to be vulnerabilities in it, but if the problem is something Symantec can solve with downloadable updates, then it's certainly something MS could solve in the same way. It seems to me then the proper way to deal with this would be for companies like Sunbelt, etc. to report any discovered vulnerabilities to MS for fixing, *not* to force MS to open things up to potentially more issues. Seems like Mcaffee and the rest are just crying over sour grapes. MS takes steps to increase security and it *may* slightly hurt their business model - must we now be mandated to insecurity just to protect a company's "right to profit"? This reminds me of the RIAA. ;)

I did some searching here and didn't see much discussion this issue, but it's something I'm really interested to hear other (non-Betanews - e.g. informed and reasonable :D) opinions on. So, thoughts and comments? Is MS in the right here; are Mcaffee and the rest just being bullies to protect their business models? Or is MS just trying to provide false hope of real security and we *need* 3rd parties to go poking around in the kernel to make it truly secure?

- Oshyan

Carol Haynes:
I've deleted the email so I haven't got the link but there was a news announcement today that MS have now started distributing the APIs to security companies.

f0dder:
There's two levels to this.

One is allowing unsigned drivers - which is bad enough; several of sysinternals tools need drivers to run, and the malware authors will find ways to bypass this anyway.

The next level is the "patchguard" system or whatever it's called, which will hang the system if certain kernel mode structures are modified. Yes, malware tends to modify these structures, but so does antivirus and firewall software, and stuff like sysinternals filemon/regmon.

Obviously the bad guys will, once again, find a way to bypass patchguard, while legitimate users will be hurt.

Abandon ship, abandon ship...

NeilS:
There's obviously a certain amount of self-preservation going on here on the part of the various security vendors, but there's also more than an element of truth to what they are saying.

When it comes to security, choice is pretty critical. Part of this choice simply comes down to who you trust (and I'm sure plenty of people are understandably wary of trusting MS that much), and a large part of it comes down to how you want the security measures on your system to manifest themselves.

For example, the average Windows user isn't going to want their system so locked down that everything they do causes a security dialog to pop up. In fact, the average user won't know what many of the dialogs mean. So they typically want security which does a decent job with minimal user interaction.

More discerning/paranoid users might want increased security, and won't mind paying the extra cost in terms of effort required to train/tune the system to be as secure as possible.

By locking security vendors out of the kernel, MS would be effectively removing the user's choice of security system. Although MS could conceivably provide a security system which caters for most people pretty well, they'll never cover everyone and, to be honest, covering "most people" has never been their strong suit either.

Anyway, it sounds like they might be backtracking already, but even if they aren't, it's likely that they will at some point. It wouldn't be the first time.

JavaJones:
Er, ok yes they'll find a way to bypass, but is it better to provide an actual API to do so (that ostensibly only A/V companies have access to, but yeah right!), just so the few A/V companies that are complaining about this can do as they please? The likelihood is *someone* will have to patch this. MS is already comitted to monthly security updates, so it is certainly likely they would be able to provide a patch for any discovered vulnerabilties. Maybe not quite as fast as the A/V companies, but it's arguable the holes would be smaller and less visible without such API's available.

I dunno, the whole thing just seems suspicious. I'm not so much interested in whether MS comply but in talking about whether they *should*. Perhaps none of us know enough about this to comment with authority, but I do note that the few companies who have officially complained are some of the ones I respect *least* in the field of security. Mcaffee and Symantec in particular are pretty far down on my list of security products to recommend. Meanwhile on the other side, companies who explicitly say this is *not* necessary, you have Sophos and Kaspersky Labs (I think), two of the more well-respected and still reliable companies, but also perhaps not coincidentally two of the smaller ones (well behind Symantec and Mcaffee anyway). So it seems to me there is more going on here than it appears, at least on the face of these company's requests.

Neil: Locking people out of the kernel is a pretty low-level security measure to protect against a relatively few very specific attacks. Most viruses *do not* alter the kernel at present, and A/V providers shouldn't necessarily have to either. MS already said they would allow companies to replace their warnings and whatnot with their own version - that seems to be enough to satisfy the needs you outline (which I agree are very legitimate). All I can really say to that in closing is that from what I've seen 3rd party companies have historically always been responsible for *complicating* the security and protection scenarious, not simplifying them (albeit they do generally provide more protection than MS's defaults). So I'm not sure I really see your point. I agree that is basically what these companies are arguing, but I'm just not convinced at all that they need this level of access to provide their services adequately.

- Oshyan

Navigation

[0] Message Index

[#] Next page