AfterTek

Research firm Gartner on Thursday said that Microsoft’s proposed changes to Windows Vista security, particularly plans to create APIs that will let security vendors access some aspects of the operating system kernel, will take years to implement.  Microsoft’s concessions, which were announced last week as part of a multiple-move effort to avoid new antitrust charges or fines leveled by the European Union’s Competition Commission, included changes to PatchGuard, technology to deploy in the 64-bit version of Windows Vista that walls off the kernel.

PatchGuard is meant to stop malicious code from making changes at the kernel level, and has been touted by Microsoft as a defense against rootkits and other malware.  Security vendors, particularly Symantec and McAfee objected to PatchGuard, and charged that by blocking “kernel hooking” intercepting Windows’ system calls and modifying the kernel dispatch table Microsoft was making it impossible for them to implement advanced security techniques. Both companies were blunt in accusing Microsoft of locking down the kernel to stifle rival security products.

As part of the plan outlined Friday and reiterated this week, Microsoft said it will create a set of APIs (Application Programming Interface) that will give a select group of legitimate security vendors the ability to duplicate on the 64-bit edition of Vista functionality they now have via kernel hooking on 32-bit Windows, but “without direct access to the kernel.”
Those APIs are going to take time, lots of time, to build, said Gartner analyst Neil MacDonald in a research note.

“These APIs do not yet exist, and the changes will require changes to the 64-bit Windows kernel that will not be complete in time for the initial release of Vista,” said MacDonald. “Moreover, any kernel changes may have a ‘ripple effect’ up the software stack and will require retesting of all of Windows Vista applications.”

In fact, MacDonald estimated that the first APIs won’t be delivered until early 2008, about the time a first service pack (SP1) for Windows Vista would be expected. “More complex work and more APIs [would be] delivered with SP2 or later,” he added. The effect: a possible stall in enterprise adoption of the 64-bit edition of Vista.

“Only partial functionality may be available even after SP1’s release,” warned MacDonald. Enterprises should then “pressure ISVs [Independent Software Vendors] and Microsoft to work together to achieve rapid development of a mutually acceptable, trusted methods of interacting with the Windows kernel, starting with SP1 and evolving over the next several years.”

On another Vista security front, Microsoft also promised it would bend on the operating system’s security dashboard, dubbed Windows Security Center. Vendors had wanted Microsoft to give them the means to completely disable the dashboard and replace it with their own, but the Redmond, Wash. developer only offered to hand over APIs that would let rivals suppress Security Center alerts that duplicated those from the vendors’ consoles.