Microsoft patches Patchguard, miss Purple Pill

Microsoft has updated its 64-bit kernel protection for Windows Vista, which most of us know as PatchGuard, but which Microsoft calls Kernel Patch Protection.

This is Microsoft's third PatchGuard update, in what has become a cat and mouse game between the software giant and security researchers.

Initially I thought this update might have something to do with the "Purple Pill" or Atsiv software, released recently, which lets you load unsigned drivers into the Vista kernel.

Microsoft didn't comment on this directly, but their PR agency said that the update doesn't have anything to do with Purple Pill.

This update is a defense-in-depth change that builds additional checks into KPP for increased reliability, performance, and security. Although the update will enhance security within the kernel, this is not a vulnerability-related issue.

Noted Windows kernel hacker Skywing, AKA Ken Johnson, has a pretty good grasp on the changes. He told me:

"The patch essentially introduces PatchGuard v3 - it alters the obfuscation mechanisms already existing in v2 and introduces some new tricks in an attempt to defeat any code floating around out there which is designed to bypass PatchGuard v2.

In other words, the update changes PatchGuard so that the old ways of bypassing it won't work until they are updated to cope with the additional changes that PatchGuard v3 brings to the table. It appears primarily geared towards making PatchGuard less easy to bypass from a third party driver perspective, much like how PatchGuard v2 was an incremental improvement over PatchGuard v1. There are some additional internal kernel variables that are now protected by PatchGuard v3 (but weren't guarded by PatchGuard v2), likely in an attempt to close loopholes that could have been used to either disable PatchGuard v2 or ignore it completely by altering things that it did not protect in the first place.

BTW, PatchGuard v3 has been out in Windows Server 2008 at least since the Beta 3 timeframe, and it was also made publicly available for Vista alongside with the KB938979 update for Vista on August 7 or so when ntoskrnl.exe was first updated since RTM in a publicly available hotfix. This "advisory" is just publicly announcing the new PatchGuard revision and pushing it out via Windows Update to everyone (such as Vista x64 users who hadn't installed KB938979, or Windows Server 2003 x64 users for which there hasn't yet been a public hotfix that PatchGuard v3 piggy-backed along yet to my knowledge)."

So does that mean we'll be seeing another PatchGuard update to fix Purple Pill or Atsiv? It's not clear to me what Microsoft could do here. As I understand it, both of these tools used legitimate driver certificates to get their unsigned drivers into the kernel. Atsiv used a certificate that has since been revoked, and Purple Pill used a buggy ATI driver that has now been patched, and which will soon be delivered by Windows Update, according to Microsoft PR.

All this effort may be in vain, however, according to eEye's Marc Maiffret, who thinks that this is just an arms race that will go on and on. He calls all the kernel protection effort "time wasted," by Microsoft.

The pain that Microsoft has put developers through in creating/signing all drivers and related does not equal the real threat posed by people loading malicious driver files. You will always be able to circumvent any built-in protection and trojan systems. Microsoft is just creating yet another arms race in going back and forth with researchers breaking their kernel protection, and them adding more protection. But none of that matters as long as the core problem exists, that Microsoft still continues to make vulnerable software which allows bad guys to target Windows systems and steal data, and that has nothing to do with kernel or otherwise.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?