Authentium Circumvents the PatchGuard Kernel Protection
I’ve posted before about how security companies are up in arms about the new Windows PatchGuard protection from Microsoft that can block any application from accessing, or “hooking” Vista’s kernel commands, a technique utilized by vendors in sophisticated anti-tampering and behavior monitoring tools, and used by hackers in attacking computer systems with rootkits. Authentium says they have circumvented this feature using a loophole that allowed the operating system to support older hardware.
The company, based in Palm Beach Gardens, Fla., maintains that it has built a version of its Authentium ESP Enterprise Platform that can bypass PatchGuard without setting off the desktop alarms produced by the security feature when the Vista kernel is compromised.
When a program of any kind attempts to modify the kernel on a system running PatchGuard, which is already available in 64-bit versions of Microsoft’s Windows XP OS, the computer produces a blue screen and stops all other Windows applications from running.
Authentium said its workaround allows it to access the kernel without incurring the shut-down.
The company specifically said that it is using an element of the kernel meant to help the OS support older hardware to bypass the feature. The loophole allows the company’s tools to infiltrate Vista’s kernel hooking driver, and get out, without the OS knowing the difference. Source: eWeek
Looks of good reading there, including more info on PatchGuard and links to other articles where security companies have taken Microsoft to task over it. One industry insider says he thinks McAfee and Symantec have already done this themselves, but are keeping the heat on for a different reason,
At least one industry watcher believes that Symantec and McAfee have developed methods of their own for working with, or circumventing, PatchGuard, and contends that the firms have only kept the heat on Microsoft over the feature to keep antitrust regulators alert to Microsoft’s continued push into their territory.
Which makes sense, they have to protect their bread and butter. Alex Eckelberry from Sunbelt has posted a few articles on PatchGuard, but the one he posted today actually made a lot more sense than the other complaints I have seen from Symantec,
The lesson? We cannot predict how malware authors will work in the future, and that is one reason why PatchGuard is such a potentially dangerous technology.
PatchGuard creates a barrier to the kernel, against which security vendors (the major defensive bulwark for Microsoft) can’t get in to to help the operating system against an attack, at least without permission through APIs.
The ability of security companies to fully support the 64 bit Windows platform itself, a fact that Gartner’s Neil McDonald recently highlighted in his warning that if enterprises use HIPS technology, they should postpone deployment of Vista. After all, the APIs won?t even be available until 2008!
HIPS (which stands for Host Intrusion Prevention System), uses methods at the kernel to prevent certain types of attacks. HIPS is part of our Kerio line and it?s also part of other products out in the market. For example, our HIPS functionality helps protect against buffer overflow attacks, by watching for system functions being called from memory locations where they shouldn’t be called. As another example, our Kerio Server Firewall uses HIPS to provide application lockdown.
McAfee, Symantec and other companies, like Sunbelt, need this access. For Symantec, it?s around a number of technologies they’ve implemented at the kernel, including Tamper Protection, which prevents hackers from attacking Symantec products themselves. For us, it’s around HIPS, but it could also affect other technologies that we are developing.
Now, every other article I have read on PatchGuard and these security companies, and I could have missed a bunch I am sure, has just pretty much been whining about how Microsoft won’t allow use access to the kernel, this is the first good explanation of why they need this access. If some new threat, remember Code Red, comes out that requires access to the kernel to prevent it, then these security companies will have to ask Microsoft for an API to the kernel, where, before they could have just added the extra functionality. And we all know how long it takes Microsoft to issue patches, what will they do if a new threat comes out, will they help security vendors fix it, or will they try to fix it themselves?