Symantec picks away at Vista's core
In third report on Windows Vista security, Symantec lauds Microsoft's work but finds flaws. Redmond says it's old news.
Vista includes several barriers designed to prevent malicious code from gaining access to the operating system core or kernel. These enhancements are "quite substantial" and result in a "dramatic reduction" of the overall attack surface of the operating system, Symantec said in a report published Tuesday.
"However, we have identified certain weaknesses in the kernel enhancements that may be leveraged by malicious code to undermine these improvements," Matthew Conover, principal security researcher at Symantec, wrote in the report titled "Assessment of Windows Vista Kernel-Mode Security" (click for PDF).
Vista, slated to be broadly available in January, will be the first new version of Windows for PCs since XP, which was released in 2001. Microsoft has put a strong emphasis on security in Vista and promotes it as its most secure version of Windows yet.
Microsoft dismissed Symantec's report as old news, because the research is based on a Vista build released several months ago. "Microsoft has been progressing toward the final release of the product and has released subsequent builds that have addressed the majority of the issues identified in this report," a Microsoft representative said.
The Symantec report focuses on the 64-bit version of Vista, which has more kernel security features than the 32-bit version. Conover looked at
In the report, Conover claims it is possible to circumvent several of the techniques Microsoft designed to protect the Vista core from malicious code. For example, the "PatchGuard" feature that checks the integrity of key parts of the kernel code can be disabled, according to the report.
Also, an attacker could disable a mechanism to block unsigned driver software to run on Vista PCs by "patching" core operating system files, Conover wrote. Malicious drivers pose a serious threat because they run at a low level in the operating system. Last week another researcher attacked the same Vista security feature at the Black Hat event in Las Vegas.
Microsoft thanked Symantec for its feedback, even though the software giant called it "unusual for a partner to provide this amount of analysis and publish its findings on a beta version of Windows Vista."
Traditionally allies, Microsoft and Symantec are now going head-to-head in the security arena. In late May, Microsoft introduced Windows Live OneCare, a consumer security package, and the company is readying an enterprise product. Symantec has sued Microsoft, alleging misuse of data storage technology it licensed to the company.
Earlier Symantec reports on the Vista kernel looked at the networking stack and user account control features of Vista.