Text 22862, 158 rader
Skriven 2006-10-23 18:36:54 av Jeff Guerdat (1:275/311)
Ärende: Vista anti-virus software, part deux
============================================
From Biran Livingston's Windows Secrets newsletter:
Vista changes lock out antivirus makers
Ryan Russell By Ryan Russell
Microsoft is making statements
(http://windowssecrets.com/links/16500d/9d104eh/) claiming it's going to
let security vendors such as Symantec and McAfee have access to the
Vista kernel. I don't believe it.
Some people say that Microsoft is merely trying to protect the kernel
and that Symantec and McAfee are afraid of fair competition. After
Microsoft announced its new Vista security APIs, similar voices argued
that allowing third-party security vendors to make effective products
would also let in the bad guys.
Read on, and I'll explain why I don't think these arguments hold water.
What has Microsoft promised security vendors?
If you saw some of the initial news accounts, Microsoft appeared to be
caving in to demands to allow greater access to other security vendors,
as reported by Ars Technica on Oct. 16
(http://windowssecrets.com/links/16500d/aa0d0fh/). However, a follow-up
article on Oct. 18 (http://windowssecrets.com/links/16500d/16af61h/)
reveals that both McAfee and Symantec haven't been given much. A McAfee
spokesmen says Microsoft has released only a single document vaguely
describing some kind of API (application programming interface).
Microsoft has already hinted that the "full" security API may be a year
or more away. The company is not providing any firm dates for any such
development. At the same time, the current version of Vista may be the
final release candidate, and Microsoft is on the verge of shipping the
new OS to business users.
We've seen behavior like this in the recent past. Something tells me
that Microsoft is trying to unfairly take advantage of its monopoly
while dragging out any legal remedies as long as it can.
The factors driving Microsoft's Vista promises
Let's first look at Microsoft's motivation. The Redmond company is now
in the security utility business. Unlike many other cases, such as its
bundling of Internet Explorer with Windows, Microsoft this time is not
introducing a new product by giving it away free as part of the
operating system. Instead, Microsoft is now charging extra for security
software, on top of the price of Windows itself.
At the same time that Microsoft is deciding to compete with security
vendors for sales, the company faces a very real threat from the
European Union, as recently described in a News.com analysis
(http://windowssecrets.com/links/16500d/1d8a49h/). If Microsoft tries to
use its monopoly position to create a "security monoculture," in the
words of one EU official, regulators might go as far as not allowing the
sale of Vista in Europe.
Unlike fines of hundreds of millions of dollars, which Microsoft can
afford to pay, the threat of an injunction has the company's full attention.
I'm pretty sure that Microsoft doesn't care about McAfee's and
Symantec's complaints on their merits. But the fact that those companies
have the ear of the EU has forced Microsoft to appear concerned.
Are there any valid reasons for Microsoft to lock security vendors out
of the deepest parts of Vista? Microsoft has mentioned the importance of
protecting the kernel from attackers. Let's look into whether locking
out security software improves users' protection.
Keep in mind that we don't yet know whether Microsoft will lock out its
own add-on software.
Can Vista actually protect its kernel?
All of the following applies only to the 64-bit version of Vista, not
the 32-bit version. The shift to 64 bits required some significant
architectural changes. In the process, Microsoft was able to enable a
number of new protection mechanisms. To be sure, the 64-bit Vista is a
cleaner Windows than any past Windows — no argument from me there.
Even so, can Vista successfully protect its own kernel? I believe that
it cannot. The reason is simple: every new, 64-bit driver, which
Microsoft requires to be digitally signed, runs at the same privilege
level as the kernel itself. They all run in Ring 0 — the most privileged
access level on Intel architecture, aside from hardware virtualization.
For the sake of this discussion, I'm making a blanket statement here
that should be qualified. Some drivers may in fact run with fewer
privileges. The new Vista architecture may allow for even more privilege
restriction in the future. But my basic point stands: there will be a
ton of code running next to the kernel that is not the kernel.
In my June 6 article
(http://windowssecrets.com/links/16500d/4d00abh/sy3crnw9dsssu/60646-00435r/)
in the paid version of the newsletter, I talked about how Windows can be
hacked via buggy drivers. All of that still applies to Vista. Sure,
Vista will be better. I'm hoping for fewer bugs. The problem is, it has
to be perfect and have zero bugs in order for this model to really work.
That means zero bugs in all the Vista kernel code, zero bugs in all the
drivers that Microsoft supplies, and zero bugs in any third-party
drivers that you happen to install. If a single one of those pieces has
a bug, then the bad guys can get into the kernel.
Microsoft has, of course, implemented several checks and balances in
hopes of preventing the rootkits from moving in. But the rootkits will
simply disable the checks. It will be the same game of patch-and-exploit
that we've been playing for years now.
Why security vendors need equal access
A technical rendition of how the whole process works is provided in an
excellent article (http://windowssecrets.com/links/16500d/efc200h/) on
the subject, aptly entitled Bypassing PatchGuard on Windows x64, at
security site Uninformed.org.
For another description, read Joanna Rutkowska's Oct. 19 analysis
(http://windowssecrets.com/links/16500d/d7c6ddh/) of the subject. This
is the same Joanna Rutkowska who demonstrated one of the first
"hypervisor" rootkits at Black Hat Briefings this year. She points out
that a high level of sophistication won't be necessary to subvert Vista.
She may or may not disagree with me on whether vendors should be locked
out of the kernel, but she certainly agrees with me that malware will
get in.
I take it for granted that the black hats will find ways into the
kernel. Do you want security software to be able to go in and root the
bad stuff out? If not, I believe your only alternative will be to wipe
the disk and reinstall. Of course, a wipe-and-reinstall is not a bad
idea if you want to be sure you've completely eliminated a pest. But we
have to recognize that this is simply not practical advice for the vast
majority of users.
There will continue to be kernel malware. I believe we need products to
be able to remove that malware. That leaves one question: who should be
allowed to make software that can do that?
I suspect Microsoft will permit its own software to do so. As a matter
of fact, I'd complain loudly if Microsoft's security software couldn't
operate on the kernel. When kernel threats appear, you bet I expect
Microsoft to try to clean them out.
The question is whether you'll be able to pay third parties to try also.
Their approaches could well be more effective than Microsoft's. I
personally don't want to rely solely on the Redmond software giant for
such products. I want to have options and I want to have fair
competition. Those are things you don't have when a company that
dominates a market is allowed to use its monopoly to shut out competitors.
Do I trust Symantec or McAfee to always remove malware better, to be
bug-free, to not destabilize the system? No, not at all. But, by the
same token, I don't trust Microsoft to always have those qualities, either.
Despite my desire for competition, I use Windows, just as you probably
do. But I've made a choice to use Windows. As long as I get to pick my
poison, I'll live with its side-effects.
--- Platinum Xpress/Win/WINServer v3.0pr5a
* Origin: FidoTel & QWK on the Web! www.fidotel.com (1:275/311)
|