Users differ over benefits of Microsoft's Patch Guard

Computerworld - IT managers have divided views of a simmering dispute between two major security vendors and Microsoft Corp. over the latter's Patch Guard technology, which prevents access to the 64-bit Windows kernel.

Security software vendors Symantec Corp. and McAfee Inc. say the Patch Guard technology prevents the use of certain features in third-party tools that would make Windows safer from hackers. McAfee this week took out a full-page advertisement in London's Financial Times newspaper and charged that Microsoft's use of Patch Guard is anticompetitive behavior.

Microsoft, meanwhile, contended that the technology itself closes the 64-bit Windows kernel to unauthorized access.

"This is a double-sided sword," said Andreas Wuchner, head of IT security architecture and strategy at Novartis Pharma AG in Basel, Switzerland. "Microsoft got blamed in the past for not being able to [better] protect their customers. Now that they are moving forward, everyone starts blaming them again for being a monopolist."

Robert Bagamery, a systems support specialist at a large Canadian utility that he asked not to be named, suggested that Microsoft's move to close access to the kernel has been poorly disguised by the vendor as a security and feature issue. "It is absurd that we should trust the company responsible for a raft of security snafus to protect our systems too," he said.

The Patch Guard technology is already included in 64-bit versions of Windows XP and Windows 2003, and it will be included in the 64-bit version of the next-generation Windows Vista operating system due out by early next year.

"In the 32-bit version of [Windows], there has always been these undocumented and unsupported ways of modifying the kernel while it is running," said Stephen Toulouse, senior product manager in Microsoft's security technology unit. Such access "introduced stability problems, performance problems and security problems," he said.

Symantec and McAfee argue that restricting access to Vista's kernel hampers their ability to deliver functions such as behavior-based virus blocking and rootkit detection. They also maintain that hackers have already gained access to the kernel of 64-bit Windows systems that are now shipping.

"The notion that by keeping everybody out of the kernel nothing will happen is false," said Sarah Hicks, vice president of consumer product management at Cupertino, Calif.-based Symantec.

A spokeswoman for Santa Clara, Calif.-based McAfee suggested that Microsoft at least allow security vendors to access the Vista kernel. She contended that giving security vendors access to 32-bit versions of Windows has led to the development of "sophisticated security technology."

Dave Jordan, the chief information security officer for Virginia's Arlington County, said that as the use of 64-bit Vista spreads, Patch Guard could limit choices for users. "I don't believe for a moment that the genesis of current exploits comes from the kernel access that has been given to these security vendors," Jordan said. "I'm shocked that they don't want to share their information, especially with the top-name [security] vendors."