Tech Watch | InfoWorld Staff » Microsoft AV talks go 'Jerry Springer'

October 20, 2006 | Comments: (0)

Microsoft AV talks go 'Jerry Springer'

TAGS: Security

Microsoft's talks with the antivirus industry over ways to circumvent its PatchGuard kernel protection technology have turned from chilly to ugly faster than a pair of cheating lovers on Jerry Springer.

Microsoft proposed the talks last week, after agreeing to turn over APIs for supressing Vista features like the Security Center management console and to discuss ways to help the companies get around kernel patch protections in 64 bit versions of Windows.

The company was under pressure from the European Commission, which had sent signals that it was worried Vista's security features would stifle innovation in the field.

Microsoft has long maintained that it would not allow patches to the 64 bit Windows kernel, saying that it was bad practice and that there was no way to do it without also providing an avenue for hackers to do the same. Symantec, McAfee and other vendors charge that kernel patching is vital to behavioral detection products and other next generation security tools.

By all accounts, the meeting, Thursday morning, got off to a rocky start. According to Microsoft Security guru Stephen Toulouse, the company "had a glitch where we sent out a messed up link. People joining using the link resulted in basically the first attempt at the meeting folding and we had to scramble to set it up again."

In the end, 20 ISV were able to attend, though many representatives from Symantec were not able to join in, according to spokesman Cris Paden. Another meeting was scheduled for Thursday evening, and a follow-up meeting has been set for Monday, also, according to Toulouse's blog.

Meeting or no meeting, it seems like AV vendors weren't in a mood to wait around for the talks to conclude before unloading on Microsoft. Suggestions were flying shortly after the technical gaffe that it was a deliberate attempt to shut Microsoft's harshest critics out of the discussions.

McAfee issued a public statement Thursday evening, attribted to Christopher Thomas of Lovells, McAfee's outside litigation counsel in Brussels, saying the company has "seen little indication that Microsoft intends to live up to the promises it made last week."

"We have been greatly disappointed by the lack of action by the company so far and Microsoft has not lived up, either in detail or in spirit, to the hollow assurances offered by their top management last week,” Thomas was quoted saying.

Microsoft shot back early Friday, with a statement attributed to Security Technology Unit Vice President Ben Fathi, noting specific dates and times on which Microosft had sent documentation and sample code for allowing third party companies to control Security Center alerts.

"On the longer-term issue of working with the industry to develop additional APIs and interfaces beyond what is available already today on x64bit with Kernel Patch Protection," Fathi said "These discussions are underway between our engineering teams and our third-party security partners about the functionality they are seeking, and how to prioritize this significant work in the months ahead."

Which brings us to the nub of the issue here -- Despite news reports to the contrary last week, Microsoft never really gave ground on the PatchGuard issue and it doesn't look like they intend to now. Fathi, Toulouse and others are saying what Microsoft has always said: they'd work with ISVs to define the functionality they want and look for ways to extend the Vista kernel to accomodate them. Allowing runtime patching of the kernel, however, is a no-go. Moreover, designing and building the APIs that the security vendors are looking for will take time -- certainly more time than vendors have before Vista hits the street.

As Toulouse himself blogged, shortly after news broke of the "compromise" with AV players: "I want to be crystal clear on this: We have not changed the implementation of or our commitment to Kernel Patch Protection in Windows Vista for x64bit systems. It’s still there, it’s not going to be turned off or have blanket exceptions granted for it." Period. Now stand up so I can throw this chair at you!

To be honest, Microsoft's line on PatchGuard has always sounded believable to me. Runtime kernel patching is a "don't try this at home" type of activity, and allowing ISVs to do it would seem to open the 64 bit platform up to the kind of spy vs. spy games that AV companies play with rootkit authors on 32 bit platforms -- with predictable results.

Microsoft just received an important endorsement for that position from rootkit author and researcher Joanna Rutkowska, who wrote on her Invisible Things blog that PatchGuard shouldn't necessarilly be thought of as a security feature, and won't stop some classes of malicious programs from subverting the kernel protections. What it will do is make it a lot easier to spot and block kernel level hooking, by assuring that legitimate programs are not using that technique. Therefore any program that is trying to hook the operating system kernel must be illegitimate.

Not that Rutkowska's opinions will make much difference. The fact that McAfee is already issuing statements through counsel in the EU is a sign of where this debate is going. Namely: direct to the antitrust officials in Brussels. There may have been no way around this, given how hard Symantec and McAfee have promised to fight to protect their markets. But Microsoft certainly didn't make life easier on itself by withholding any information -- APIs, documentation, whatever -- in a way that could be construed as anticompetitive.

Hold on to your hats, and watch the flying chairs -- this fight's going to be a doozy!

Posted by Paul Roberts on October 20, 2006 08:54 AM

RATE THIS ARTICLE: