Windows kernel protection expected to break soon

PatchGuard, a Microsoft technology to protect Windows, will be hacked sooner rather than later, an expert predicts.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
2 min read
MONTREAL--PatchGuard, a Microsoft technology to protect key parts of Windows, will be hacked sooner rather than later, a security expert said Thursday.

Hackers will break through the protection mechanism soon after Microsoft releases Windows Vista, Aleksander Czarnowski, a technologist at Polish security company AVET Information and Network Security, said in a presentation at the Virus Bulletin event here.

"It will probably take a year or so for it to surface publicly, but I believe it will be broken earlier," Czarnowski said. "PatchGuard will be broken pretty soon after the final version is released... A lot of people who would break it will probably not make it public immediately."

Microsoft designed PatchGuard, also called kernel patch protection, to safeguard the Windows kernel against malicious code attacks. Cybercrooks have found ways to exploit the innards of Windows for malicious purposes, making the protection offered by PatchGuard key to securing the operating system, Microsoft has said. (A paper on PatchGuard is available on Microsoft's Web site.)

The technology applies only to 64-bit versions of Windows and debuted last year in Windows XP x64 Edition. However, while that Windows version was never broadly adopted, PatchGuard is set to become used more widely, when Vista hits store shelves in January and people are expected to buy PCs with 64-bit processors and 64-bit versions of the operating system.

"Kernel patch protection is not a silver bullet. We're not saying no one will ever crack it," Stephen Toulouse, a program manager in Microsoft's Security Technology Unit, wrote on his blog last week. "The point is that the situation as it exists now? attackers don't need to do any work to access the kernel at the highest level. At least with kernel patch protection, we're trying to prevent that."

There have been some claims that PatchGuard has already been compromised, but according to Microsoft it has not yet been hacked. "We're not aware as of right now that people have circumvented it," Toulouse wrote.

If PatchGuard is ever circumvented, Microsoft would fix the issue with a software update, Toulouse wrote. "Kernel patch protection can become more resilient over time due to the combination of hardware and software advancements," he wrote.

Security companies have been taking all sorts of shots at Vista. Symantec, the world's largest maker of antivirus software, has been leading the pack, closely followed by others including McAfee, Check Point Software Technologies and Panda Software.

Security companies have complained that PatchGuard, while meant to lock out bad guys, also prevents certain types of security software from running. The security software makers had gotten used to taking advantage of the Windows kernel, a move Microsoft is preventing with PatchGuard.

Tensions are flying high in the security space after Microsoft, with its $34 billion war chest, entered the market. It launched Windows Live OneCare for consumers and is readying enterprise security products. Microsoft, with its huge presence on desktops, has a built-in advantage -- an advantage that's making security firms nervous.