Security vendors still waiting to hear from Microsoft on PatchGuard

Despite Microsoft pledge, McAfee, Symantec say software vendor mum on specifics

Despite its public statements, Microsoft Corp. so far has not given security vendors any specifics on its plans to release code that will allow them to work around a kernel protection technology called PatchGuard in the upcoming Vista operating system.

Even if Microsoft eventually releases such code, it's likely to be too little, too late, according to executives at several computer security companies.

The issue is important for enterprises because many relatively advanced functions that are available in third-party security products are likely to be crippled in a 64-bit Vista environment unless the issue is resolved or vendors find a way to bypass PatchGuard.

PatchGuard has been at the center of a simmering dispute between Microsoft and several security vendors, most notably Symantec Corp. and McAfee Inc. Microsoft maintains that PatchGuard would increase operating system reliability by protecting the Vista kernel from unauthorized modification by third parties, including security vendors and malicious attackers.

But vendors such as Symantec and McAfee argue that PatchGuard would prevent them from delivering certain key functions in their products. This includes capabilities such as behavior-based virus detection, host-based intrusion prevention and software tamper protection, all of which work by making modifications to the operating system kernel.

Last week, in an apparent bid to assuage broader antitrust concerns related to Vista in the European Union, Microsoft announced that it would make security application programming interfaces (API) available that would let vendors get around PatchGuard.

In an interview with Computerworld earlier this week, Stephen Toulouse, senior product manager in Microsoft's security technology unit, said that the company was "accelerating its decision" regarding extensions to the Vista kernel.

"What we are doing right now is sitting down with vendors and getting specifications" for kernel-related APIs. Toulouse said. The APIs will allow vendors to deliver the same kind of security functions they have been delivering, while still preventing kernel modifications, he said. Such APIs will be developed in "combination with" independent software vendors over the next several months, with the first set of APIs likely to be available with Service Pack 1 for Vista, he said.

But so far at least, none of those discussions has involved APIs related to PatchGuard, said George Heron, chief scientist at McAfee. Contrary to what Microsoft has said publicly, "we haven't received any information at all regarding PatchGuard," Heron said. "We have no idea what APIs they are speaking of with respect to PatchGuard," nor has there been any official notice on when they might become available, he said.

With Vista scheduled to start shipping sometime later this year, "it is not really fair for Microsoft to wait until the eleventh hour" to release APIs, because vendors need time to modify their products, Heron said.

Rowan Trollope, vice president of consumer engineering at Symantec, also said that the company has received no details on APIs related to PatchGuard. And even if such APIs eventually become available from Microsoft, they will address only a part of the problem, Trollope said.

At best, such APIs will allow security vendors only to continue delivering the functions they currently have in products meant for 64-bit Vista environments, he said. But as long as Microsoft continues to prevent kernel access via PatchGuard, there's going to be a "chilling effect" on innovation in the security market, Trollope said.

That's because vendors will need to wait for Microsoft to release new APIs each time they want to implement any new security functionality that involves kernel patching, McAfee's Heron said.

As a result, the best approach for Microsoft to take is to allow kernel-level access to qualified security vendors, he said. Microsoft has done this wth 32-bit Windows platforms, and there's little reason to change that policy now, Heron said.

"We are not disagreeing with PatchGuard policy," Trollope added. "But Microsoft needs to provide an exception for security vendors with signed drivers to patch the kernel. We are not saying let everyone in."

Until that time, Microsoft's talk about PatchGuard APIs is little more than a "giant red herring" that makes it appear that the company is cooperating with security vendors, said Alex Eckelberry, president of Sunbelt Software, a Clearwater, Fla.-based security vendor. "The problem is there are no documented or undocumented APIs for some functions," Eckelberry said. "The only way to implement it is to go in and modify the kernel."

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon