The problem lies in fact that these less-legitimate methods will work only for specific Windows kernel versions
San Jose, Calif. and St. Petersburg, Russia (PRWEB) July 26, 2006
After an in-depth analysis of the new security measures introduced by Microsoft under the name “Kernel Patch Protection,” the computer security experts at Agnitum today announced that this attempt to improve security instead is a possible move to preclude or block the use of third-party security software in Windows.
Agnitum experts also believe that Kernel Patch Protection will make it harder for third-party security software vendors to maintain compatibility with Windows, while posing little or no threat to hackers.
Key conclusions from the analysis include:
- Microsoft kernel patch protection prevents security software developers from installing security software at the kernel level, an approach that devolopers use to ensure security against malware applications.
- If certain versions of the kernel are in use, kernel patch protection does not prevent hackers from reverse engineering specific areas of code in the operating system to re-acquire unauthorized access to the kernel.
- If third-party security software is going to work, then independent software companies must similarly reverse-engineer access to the operating system kernel, making it more difficult to install and maintain products that ensure better security for Windows and Windows users.
“As the vendor of Outpost Firewall Pro, we have to install at the kernel level,” said Alexey Belkin, chief software architect at Agnitum. “In addressing the potential problem of not being able to install Outpost on new versions of Windows, we have discovered that it is possible to drill past the new security measures introduced by Microsoft – if we use the same techniques used by hackers. That’s a wide-open hole. If we discovered it, then hackers will discover it, and they will use that hole to install malicious software.”
Kernel Patch Protection is intended to provide better protection for low-level system activities such as the file and registry operations of the Windows kernel, the deepest level of OS operations, (http://www.microsoft.com/whdc/driver/kernel/64bitpatch_FAQ.mspx). Any program that gains access to the kernel can, for instance, hide a folder on the hard disk and make it impossible to delete that folder using regular Windows tools. While malicious programs can modify the Windows kernel and hide themselves in this way to surreptitiously steal information, security software developers also need access to the kernel to provide PC security.
Forcing independent software developers down the road of acting like hackers gives the advantage to hackers, as they don’t need to undertake the level of compatibility testing and quality assurance required by legitimate software developers.
The full analysis is available on the Agnitum website: Kernel Patch Protection analysis
"Microsoft made a logical move with this attempt to protect Windows against rootkits,” said Mikhail Penkovsky, vice president of Sales and Marketing at Agnitum.
“Unfortunately, it doesn’t really resolve the problem, and also makes it a great deal more difficult for independent security software developers to be fully compatible with Windows. Nobody knows if Microsoft has done this intentionally, but we can’t avoid the suspicion that this move may have been designed to force users to rely on Microsoft and only Microsoft for Windows security. If past experience is anything to go by, third-party security software solutions are likely to be more robust and provide better protection for users, who will be the biggest losers if this proves to be the case.”
In 64-bit versions of Windows and in the upcoming Windows Vista, kernel patch protection will insulate the kernel from legitimate changes. This means that no third party security software vendor will be able to install security software that uses kernel functions using legitimate coding approaches, but hackers can still feel free to reverse-engineer their way to successful rootkit delivery using less-legitimate methods.
“The problem lies in fact that these less-legitimate methods will work only for specific Windows kernel versions,” said Penkovsky. “If legitimate independent software developers are forced to take this approach, with every serious update to the OS, those developers will have to make changes to their installation methods. It will be a nightmare for legitimate developers while posing little or no problem for hackers, who don’t have to maintain 100-percent compatibility. And improvements to malware are much easier to code than improvements to security software.”
Founded in 1999, Agnitum Ltd. is committed to delivering and supporting high-quality, easy to use security software. The company’s products are Outpost Firewall Pro, securing personal and family desktops, and Outpost Network Security, ensuring reliable endpoint protection and performance for small business networks. Agnitum firewall technology is licensed by Novell, Sophos and Lavasoft.