password
username
Sponsored by CakeMail, an email marketing software.
Newsletter preview

If your software garbles this newsletter, see the current issue at WindowsSecrets.com.

    Windows Secrets

 
YOUR NEWSLETTER PREFERENCES Change
Delivery address: ***
Alternate address:
Locale: United States
Reader number: 56541-09336
Bounce count (visit this link if not 0): 0


   
       
   
Windows Secrets Newsletter • Issue 84a • 2006-10-23 • Circulation: over 140,000
    
INTRODUCTION.. The battle over the Vista kernel
TOP.STORY.. Vista changes lock out antivirus makers
YOUR.SUBSCRIPTION.. How to change your delivery address or ***

   
   
ADS
Speed up your computer   Speed up your computer
 Run our free Optimize scan to find out how to fine-tune Internet and System settings. Identify clutter from your registry and hard drive. PC Pitstop Optimize can make your computer faster and more stable.
 www.pcpitstop.com

1Click PC Fix — solve PC problems   1Click PC Fix — solve PC problems
 Are you tired of your computer crashing, slowing down or freezing when you least expect it? Download our free PC health check and instantly solve PC problems with an advanced PC Registry cleaner.
 www.1ClickPCFix.com

Backup your data with ZipBackup   Backup your data with ZipBackup
 Finally, a backup program that is easy to use. ZipBackup's Wizard makes backups a snap for beginners. Filtering, scheduling and disk spanning make it a powerful tool for experts. For a limited time, Windows Secrets readers receive 25% off.
 www.zipbackup.com

See your ad here

    
   
INTRODUCTION

The battle over the Vista kernel

Brian Livingston By Brian Livingston

I'm publishing a special news update today. Why? Because Microsoft substantially changed the debate over the security of Windows Vista just after our Oct. 12 issue appeared.

Two articles by our contributing editors in that newsletter criticized the Microsoft Corp. for poor security planning:

Woody Leonhard reported that Microsoft had stopped giving antivirus companies equal access to newly discovered virus signatures. The Redmond company is now withholding the information to benefit its own for-pay service, Live OneCare, our contributor said. Also, Microsoft's free malware service, now called OneCare Safety Center, is no longer being updated with the latest signatures, Woody charged.

Ryan Russell analyzed, in the paid section of the newsletter, what he called a "concerted effort" by Microsoft to restrict security vendors' access to the 64-bit Windows Vista kernel. Independent security firms say that Microsoft is giving privileged access to its own competing security products, Ryan wrote.

The day after our newsletter was published, Microsoft general counsel Brad Smith said that the software giant would allow outside security vendors to protect the Vista kernel, according to an article in the Seattle Times. On Oct. 16, the Associated Press reported that Microsoft had started giving some technical information to McAfee, Symantec, and other white-hat security experts to enable competition in security products.

Do Microsoft's statements represent a true change of heart? Or do they merely obscure the "Netscaping" of independent security vendors? In other words, does Microsoft plan to use inside information to monopolize the security market as it monopolized the browser market?

I asked Ryan to write about the latest developments, this time in the free edition of the newsletter. This controversy isn't going away any time soon, and I think Ryan offers a valuable perspective on the future (and the possible demise) of the independent Windows security industry.

To upgrade to the paid version of the newsletter, so you see our best information as soon as it's published, you may simply make a financial contribution of any amount it's worth to you. We have no fixed fee — we want as many people as possible to get the information. How to upgrade

News updates have no paid version

Today's e-mail message is a news update. Our next regular bimonthly issue will be published on Oct. 26.

News updates don't include our usual columnists or other sections. A news update also has no paid version. The same short message goes out to both our free and our paid subscribers.

 Brian Livingston is editor of the Windows Secrets Newsletter and the coauthor of Windows 2000 Secrets, Windows Me Secrets, and eight other books.

Contents

   
   
TOP STORY

 Vista changes lock out antivirus makers

Ryan Russell By Ryan Russell

Microsoft is making statements claiming it's going to let security vendors such as Symantec and McAfee have access to the Vista kernel. I don't believe it.

Some people say that Microsoft is merely trying to protect the kernel and that Symantec and McAfee are afraid of fair competition. After Microsoft announced its new Vista security APIs, similar voices argued that allowing third-party security vendors to make effective products would also let in the bad guys.

Read on, and I'll explain why I don't think these arguments hold water.

What has Microsoft promised security vendors?

If you saw some of the initial news accounts, Microsoft appeared to be caving in to demands to allow greater access to other security vendors, as reported by Ars Technica on Oct. 16. However, a follow-up article on Oct. 18 reveals that both McAfee and Symantec haven't been given much. A McAfee spokesmen says Microsoft has released only a single document vaguely describing some kind of API (application programming interface).

Microsoft has already hinted that the "full" security API may be a year or more away. The company is not providing any firm dates for any such development. At the same time, the current version of Vista may be the final release candidate, and Microsoft is on the verge of shipping the new OS to business users.

We've seen behavior like this in the recent past. Something tells me that Microsoft is trying to unfairly take advantage of its monopoly while dragging out any legal remedies as long as it can.

The factors driving Microsoft's Vista promises

Let's first look at Microsoft's motivation. The Redmond company is now in the security utility business. Unlike many other cases, such as its bundling of Internet Explorer with Windows, Microsoft this time is not introducing a new product by giving it away free as part of the operating system. Instead, Microsoft is now charging extra for security software, on top of the price of Windows itself.

At the same time that Microsoft is deciding to compete with security vendors for sales, the company faces a very real threat from the European Union, as recently described in a News.com analysis. If Microsoft tries to use its monopoly position to create a "security monoculture," in the words of one EU official, regulators might go as far as not allowing the sale of Vista in Europe.

Unlike fines of hundreds of millions of dollars, which Microsoft can afford to pay, the threat of an injunction has the company's full attention.

I'm pretty sure that Microsoft doesn't care about McAfee's and Symantec's complaints on their merits. But the fact that those companies have the ear of the EU has forced Microsoft to appear concerned.

Are there any valid reasons for Microsoft to lock security vendors out of the deepest parts of Vista? Microsoft has mentioned the importance of protecting the kernel from attackers. Let's look into whether locking out security software improves users' protection.

Keep in mind that we don't yet know whether Microsoft will lock out its own add-on software.

Can Vista actually protect its kernel?

All of the following applies only to the 64-bit version of Vista, not the 32-bit version. The shift to 64 bits required some significant architectural changes. In the process, Microsoft was able to enable a number of new protection mechanisms. To be sure, the 64-bit Vista is a cleaner Windows than any past Windows — no argument from me there.

Even so, can Vista successfully protect its own kernel? I believe that it cannot. The reason is simple: every new, 64-bit driver, which Microsoft requires to be digitally signed, runs at the same privilege level as the kernel itself. They all run in Ring 0 — the most privileged access level on Intel architecture, aside from hardware virtualization.

For the sake of this discussion, I'm making a blanket statement here that should be qualified. Some drivers may in fact run with fewer privileges. The new Vista architecture may allow for even more privilege restriction in the future. But my basic point stands: there will be a ton of code running next to the kernel that is not the kernel.

In my June 6 article in the paid version of the newsletter, I talked about how Windows can be hacked via buggy drivers. All of that still applies to Vista. Sure, Vista will be better. I'm hoping for fewer bugs. The problem is, it has to be perfect and have zero bugs in order for this model to really work.

That means zero bugs in all the Vista kernel code, zero bugs in all the drivers that Microsoft supplies, and zero bugs in any third-party drivers that you happen to install. If a single one of those pieces has a bug, then the bad guys can get into the kernel.

Microsoft has, of course, implemented several checks and balances in hopes of preventing the rootkits from moving in. But the rootkits will simply disable the checks. It will be the same game of patch-and-exploit that we've been playing for years now.

Why security vendors need equal access

A technical rendition of how the whole process works is provided in an excellent article on the subject, aptly entitled Bypassing PatchGuard on Windows x64, at security site Uninformed.org.

For another description, read Joanna Rutkowska's Oct. 19 analysis of the subject. This is the same Joanna Rutkowska who demonstrated one of the first "hypervisor" rootkits at Black Hat Briefings this year. She points out that a high level of sophistication won't be necessary to subvert Vista. She may or may not disagree with me on whether vendors should be locked out of the kernel, but she certainly agrees with me that malware will get in.

I take it for granted that the black hats will find ways into the kernel. Do you want security software to be able to go in and root the bad stuff out? If not, I believe your only alternative will be to wipe the disk and reinstall. Of course, a wipe-and-reinstall is not a bad idea if you want to be sure you've completely eliminated a pest. But we have to recognize that this is simply not practical advice for the vast majority of users.

There will continue to be kernel malware. I believe we need products to be able to remove that malware. That leaves one question: who should be allowed to make software that can do that?

I suspect Microsoft will permit its own software to do so. As a matter of fact, I'd complain loudly if Microsoft's security software couldn't operate on the kernel. When kernel threats appear, you bet I expect Microsoft to try to clean them out.

The question is whether you'll be able to pay third parties to try also. Their approaches could well be more effective than Microsoft's. I personally don't want to rely solely on the Redmond software giant for such products. I want to have options and I want to have fair competition. Those are things you don't have when a company that dominates a market is allowed to use its monopoly to shut out competitors.

Do I trust Symantec or McAfee to always remove malware better, to be bug-free, to not destabilize the system? No, not at all. But, by the same token, I don't trust Microsoft to always have those qualities, either.

Despite my desire for competition, I use Windows, just as you probably do. But I've made a choice to use Windows. As long as I get to pick my poison, I'll live with its side-effects.

Reader, please rate the above article:

 1: Poor  2: Fair  3: Good  4: Great  5: Superb

Ryan Russell is a contributing editor of the Windows Secrets Newsletter and quality assurance manager at BigFix Inc., a configuration management company. He moderated the vuln-dev mailing list for three years under the alias "Blue Boar." He was the lead author of Hack-Proofing Your Network, 2nd Ed., and the technical editor of the Stealing the Network book series.

Contents

   
   
TELL A FRIEND

 How you can share this information

 We love it when you send your friends links to our articles. But please don't forward your copy of our e-mail newsletter to people, which can subject us to spam complaints. Instead, simply suggest that your friends visit this issue's permanent Web address, shown below.

The address of this issue is http://WindowsSecrets.com/comp/061023

 		   
   
ADS
Get your product seen by 140,000 readers   Get your product seen by 140,000 readers
 Does your company offer a product or service? Now you can place an ad in the Windows Secrets Newsletter and be seen by more than 140,000 active buyers of PC hardware and software. Bid as much or as little as you like to get the ideal ad placement.
 www.WindowsSecrets.com

See your ad here

    
   
EBOOKSHELF
Spam-Proof Your E-Mail Address, 2nd Ed. Spam-Proof Your E-Mail Address, 2nd Ed.
This 32-page e-book by Brian Livingston gives you step-by-step instructions that can prevent 97% of the spam that would otherwise clog an e-mail account. You could call it "Livingston's Spam Secrets." The PDF e-book is the result of months of experiments and tests we conducted. We now receive little or no spam to the addresses we used as guinea pigs. These tests show that you can make your e-mail addresses invisible to spammers, not just battle an ever-growing flood. The methods we describe work with Windows, Apple, and Linux and don't require any filters or block lists — but you can use those in addition to the book's techniques, if you wish. More info

    
   

Contents

   
   
YOUR SUBSCRIPTION

 The Windows Secrets Newsletter is published twice a month on alternating Thursdays. Issues appear 2 days and 16 days after Microsoft Patch Tuesday (the 2nd Tuesday of each month). Only the first issue of the month is published in August and December to allow vacation breaks. A short "news update" is sometimes published between regular newsletters.

Publisher: WindowsSecrets.com LLC, 300 Queen Anne Ave. N. #456, Seattle, WA 98109 USA. Vendors, please send no unsolicited packages to this address (readers' letters are fine).

Editor: Brian Livingston. Contributing Editors: Susan Bradley, Woody Leonhard, Chris Mosby, Ryan Russell. Research Director: Vickie Stevens. Program Director: Brent Scheffler.

Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. The Windows Secrets series of books is published by Wiley Publishing Inc. The Windows Secrets Newsletter, WindowsSecrets.com, WinFind, Windows Gizmos, Security Baseline, Patch Watch, Perimeter Scan, Wacky Web Week, the Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of WindowsSecrets.com LLC. All other marks are the trademarks or service marks of their respective owners.

YOUR SUBSCRIPTION PREFERENCES (change your preferences):

Delivery address: ***
Alternate address:
Country: United States
ZIP or postal code:
Reader number: 56541-09336
Bounce count: 0
Your bounce count is the number of times your server has bounced a newsletter back to us since the last time you visited your preferences page. We cannot send newsletters to you after your bounce count reaches 3, due to ISP policies. If your bounce count is higher than 0 or blank, please visit your preferences page. This automatically resets your bounce count to 0.

To change your preferences: Please visit your preferences page.

To upgrade your free subscription to paid: Please visit our upgrade page.

To re-send a missed newsletter to yourself: If your mail server blocked a newsletter, you can re-send the current issue to yourself. To do so, visit your preferences page and use the "re-send" link.

To get subscription help by e-mail (fastest method): Visit our contact page. Subscription help by facsimile: 206-282-6312 (fax). Emergency subscription help by phone: 206-282-2536 (24 hours).

 HOW TO SUBSCRIBE: Anyone may subscribe to this newsletter by visiting our free signup page.

WE GUARANTEE YOUR PRIVACY:

1. We will never sell, rent, or give away your address to any outside party, ever.
2. We will never send you any unrequested e-mail, besides newsletter updates.
3. All *** requests are honored immediately, period.  Privacy policy

 HOW TO ***: To *** *** from the Windows Secrets Newsletter,
 Copyright © 2006 by WindowsSecrets.com LLC. All rights reserved.

Contents