Security vendors still waiting to hear from Microsoft on PatchGuard

Computerworld - Despite its public statements, Microsoft Corp. so far has not given security vendors any specifics on its plans to release code that will allow them to work around a kernel protection technology called PatchGuard in the upcoming Vista operating system.

Even if Microsoft eventually releases such code, it's likely to be too little, too late, according to executives at several computer security companies.

The issue is important for enterprises because many relatively advanced functions that are available in third-party security products are likely to be crippled in a 64-bit Vista environment unless the issue is resolved or vendors find a way to bypass PatchGuard.

PatchGuard has been at the center of a simmering dispute between Microsoft and several security vendors, most notably Symantec Corp. and McAfee Inc. Microsoft maintains that PatchGuard would increase operating system reliability by protecting the Vista kernel from unauthorized modification by third parties, including security vendors and malicious attackers.

But vendors such as Symantec and McAfee argue that PatchGuard would prevent them from delivering certain key functions in their products. This includes capabilities such as behavior-based virus detection, host-based intrusion prevention and software tamper protection, all of which work by making modifications to the operating system kernel.

Last week, in an apparent bid to assuage broader antitrust concerns related to Vista in the European Union, Microsoft announced that it would make security application programming interfaces (API) available that would let vendors get around PatchGuard.

In an interview with Computerworld earlier this week, Stephen Toulouse, senior product manager in Microsoft's security technology unit, said that the company was "accelerating its decision" regarding extensions to the Vista kernel.

"What we are doing right now is sitting down with vendors and getting specifications" for kernel-related APIs. Toulouse said. The APIs will allow vendors to deliver the same kind of security functions they have been delivering, while still preventing kernel modifications, he said. Such APIs will be developed in "combination with" independent software vendors over the next several months, with the first set of APIs likely to be available with Service Pack 1 for Vista, he said.

But so far at least, none of those discussions has involved APIs related to PatchGuard, said George Heron, chief scientist at McAfee. Contrary to what Microsoft has said publicly, "we haven't received any information at all regarding PatchGuard," Heron said. "We have no idea what APIs they are speaking of with respect to PatchGuard," nor has there been any official notice on when they might become available, he said.

With Vista scheduled to start shipping sometime later this year, "it is not really fair for Microsoft to wait until the eleventh hour" to release APIs, because vendors need time to modify their products, Heron said.