Symantec and McAfee say that a Microsoft technology called Patch Guard -- which blocks access to the 64-bit Vista kernel -- will make it harder for third-party security vendors to deliver certain features in their products.
In a full-page advertisement in London's Financial Times last week, McAfee charged that Microsoft's decision to "shut-off access" to the kernel amounts to anticompetitive behavior. The two security vendors also accuse Microsoft of other tactics designed to make life harder for independent security vendors at a time when the software giant is expanding its own presence in the security field. In an interview with Computerworld, Stephen Toulouse, senior product manager with Microsoft's security technology unit, explained his company's position.
Excerpts from that interview follow:
Why did Microsoft decide to restrict access to the 64-bit Windows kernel?
The biggest concern has been rootkits that can hide themselves from detection software and antivirus software. When you have a situation where code that is not part of the operating system can run at the same level as the kernel, that is not good because the kernel can't necessarily figure out what is good and what is bad.
In the 32-bit version of the [operating system] there has always been these undocumented and unsupported ways of modifying the kernel while it is running. That introduced stability problems, performance problems and security problems because attackers can use them, as well. These unsupported, undocumented ways of modifying the kernel have never been used by Microsoft and their use by other vendors is frowned on. We don't believe that it is good for the user experience to modify the kernel while it is running. When changes are made to it in unsupported fashion, you introduce instability.
So, what we felt the right thing to do for the 64-bit platform was to prevent the use of these unsupported functions and instead try to implement safer documented ways of implementing the same functionality.
What does Patch Guard do for Windows?
I think it is important first off from our perspective to note that one of the things that customers have been very clear about with Windows and all of our products is that we've got to fundamentally raise the security of those products. That has been very, very clear feedback from our customers. One of the ways we are doing that on our 64-bit platform is this implementation that is known as kernel patch protection or Patch Guard. It is actually not new. We have been shipping operating systems with kernel patch protection for a couple of years now. The feature is also in Windows XP 64 and Windows Server 2003, 64-bit.
The goal around Patch Guard is to help make a more stable, reliable and secure experience for the customer. It prevents the unsupported and undocumented modification of the kernel. If it detects [that the kernel] has been modified or something is attempting to modify it, Patch Guard will automatically shut the system down to prevent an attack.