Why Microsoft is wrong on Vista security

McAfee Chief Scientist George Heron says a technological dispute could usher in a new age of insecurity.

4 min read
For decades, and in every Windows operating system prior to Vista, Microsoft has relied on the contributions of third-party security vendors to help keep the user safe.

These products protected both consumers and corporate users from the ravages of malware such as viruses, spyware, trojans, worms and, most recently, rootkits.

These security products from independent software vendors even help keep people's computers safe from Microsoft's own critical software bugs, which notably have been on the increase in recent years.

Regrettably, Microsoft's own "buffer overflows" and "Internet Explorer exploits" have now become commonplace in today's lexicon. But again, the security products from the likes of McAfee, Symantec, Check Point Software Technologies, et al, have thankfully been available for people to choose in order to keep their computing experience safe.

Over the years, the users (i.e. you, me, our families and colleagues) have been able to select the best security solution for them from among any number of companies providing mature and innovative security products.

This cooperative and relatively safe computing experience is about to change for the worse in Vista.

I'm not sure how we can end this story on a positive note.

Dropping down to the core of the operating system, we see that Microsoft has implemented PatchGuard as a means of preventing access to kernel services that classically have been allowed and available in all previous versions of Windows.

In a nutshell, PatchGuard crashes the computer when it detects that specific internal data structures have been "hooked," which is a common way that malicious software starts doing its damage.

However, the good advanced features of behavioral detecting and intrusion protection software also work this way. So by attempting to lock out the bad guys, PatchGuard is also blocking advanced security features from working, and the user is much less secure.

A straightforward example of this serious condition would be to consider the case of a new mass-mailing worm suddenly appearing in the wild. Typically, known viruses are caught during the delivery process, when the file containing the virus is scanned for the characteristic signature of the malicious software. If the bit pattern defining a known virus matches that in the incoming file, the file will be quarantined or deleted, according to the policy governing this on the computer.

Listen up

McAfee chides Microsoft CEO George Samenuk and Chief Security Architect John Viega of McAfee discuss the impact of Windows Vista on security with CNET News.com's Joris Evers.

Download mp3 (5.4MB)

A new virus, however, will not yet have a signature characteristic, as it has not yet been studied by the virus research team, so this zero-day attack will slip past the traditional antivirus checks in the kernel. Then, when the infected carrier file runs, and the virus ultimately then gets launched, it is born on the computer and immediately begins doing its dastardly deeds; in the case of it being a mass mailer, it ravages the e-mail client's address book and begins sending out tons of e-mails.

The cool part of the story next happens when the security software engages to stop the virus dead in its tracks. All modern antivirus software contains--in addition to the basic signature file scanning mentioned earlier--a technique termed heuristical behavior detection that is designed to stop a zero-day attack like the mass-mailer worm being described.

The calls being made by the worm into the kernel are studied by means of the antivirus hooking the APIs (application program interfaces), and it can be determined from the specific API calls and order/frequency of the calls that a worm is active in the system. The antivirus then kills the worm by issuing an Application Terminate call to the kernel, and the user is once again safe.

Of course, some other details are not depicted in this simple example. But the main point is that this is the way state-of-the-art antivirus operates today--to first detect the virus signature and in using behavioral techniques to detect the new, zero-day presence of new outbreaks. And the killer part of this example is that PatchGuard will prevent this type of behavior-based zero-day detection from operating.

The standard technique employed by security vendors for years and years--hooking the APIs and the ability of killing applications--is specifically being blocked. Further, Microsoft, which has no similar detection technique, is preventing security vendor antivirus packages from using these advanced features--even though Microsoft does not have the ability to do this itself.

The net-net is that the user is demonstrably less safe as compared to during the XP days, when security vendors could use their advanced behavioral features.

I'm not sure how we can end this story on a positive note. With Microsoft's design of Windows Security Center and PatchGuard, the restrictions on user choice of security solution, the stifling of innovation being forced upon the industry and, most of all, the clear and present danger of dramatically reduced user safety all comes to a head in Vista.

I suppose one can only hope that Microsoft can come to the realization at some point soon that the simple Vista alterations suggested by the industry must be taken seriously and implemented.