AfterTek

PatchGuard is a much-wanted security addition to Windows Vista that will restrict access to the Windows kernel, making it harder for hackers to run nasty software such as rootkits. But it has broken some legitimate software programs, leading to complaints from software vendors including Symantec Corp. and McAfee Inc.

Microsoft fixed up PatchGuard, which also ships with 64-bit versions of Windows XP and Server 2003, last July, according to Stephen Toulouse, senior product manager with Microsoft’s security technology group. But one of the drastic changes Microsoft introduced at that time harmed the operating system’s ability to take advantage of Advanced Micro Devices (AMD) virtualization technology.

As a result, Virtual Server 2005 couldn’t work properly on AMD systems. In September, Microsoft published a “hotfix” patch that corrected the problem. Microsoft has rolled the fix into the 64-bit version of Vista, but the only place it has notified users of the hotfix is on a Virtual Server 2005 documentation page, prompting one security researcher to cry foul, and say that Microsoft has violated its own policy on making exceptions to PatchGuard’s kernel restrictions, to the benefit of its own product.

Microsoft has had to be careful about permitting changes to PatchGuard, as any changes it makes to the software could possibly become a new avenue of attack for hackers. Initially, the software giant said it would not make any exceptions to PatchGuard’s restrictions, but in September, security vendors asked Microsoft for a way to get around PatchGuard, arguing PatchGuard would ultimately make their software less secure.

After a warning from the European Commission, Microsoft eventually pledged to create a set of APIs (application programming interfaces) that would give the security vendors access to the kernel-level computing resources they require. Those APIs are expected to be included in the first service pack for Windows Vista. But according to researcher Ken Johnson, who has published a paper on the new PatchGuard features, Microsoft violated its own rules by releasing the hotfix.

Johnson, a developer with Positive Networks Inc., has researched the paper on his own time and published it under his hacker alias, Skywing. Microsoft’s policy on PatchGuard is that if a driver’s functionality is being blocked by PatchGuard, and there is no way to achieve that functionality with PatchGuard in place, then that functionality will be unsupported on Windows,” Johnson wrote in an e-mail interview. But Microsoft’s PatchGuard policy has changed, although this did not happen until after it released the hotfix, according to Toulouse.

He disputed Johnson’s characterization, saying that Microsoft revised this policy in October. Although the old policy was still listed on Microsoft’s Web site on Friday, software vendors who have problems with PatchGuard can now e-mail Microsoft to request a solution, “be that an existing API or perhaps creating a new one,” Toulouse wrote. This is the process that vendors such as Symantec and McAfee are now going through to develop kernel-level access for their products, he added.

If Microsoft has made a widespread change to its policy on creating new kernel-level APIs, it hasn’t done a very good job of telling software vendors about this, said Gartner Inc. analyst Neil MacDonald. And now that Microsoft is making decisions about what exceptions will and will not be allowed to PatchGuard, it puts itself in the “very precarious position” of having to defend these decisions to European regulators, who will be watching whether this process favors Microsoft’s products.

“It’s a slippery slope,” he said. “I think Microsoft did the wrong thing here.” Johnson agrees that the hotfix reflects a larger issue: the difficulty that legitimate software vendors have convincing Microsoft to relax PatchGuard’s restrictions for their software. “Microsoft seems to have spent a great deal of effort in order to create the impression that there will never be any loosening of PatchGuard’s protections on the system for third-party software. This would seem to put third-party ISVs in a tough position if they have legitimate functionality blocked by PatchGuard,” Johnson wrote.