Microsoft patches Patchguard, miss Purple Pill

Microsoft has updated its 64-bit kernel protection for Windows Vista, which most of us know as PatchGuard, but which Microsoft calls Kernel Patch Protection.

This is Microsoft's third PatchGuard update, in what has become a cat and mouse game between the software giant and security researchers.

Initially I thought this update might have something to do with the "Purple Pill" or Atsiv software, released recently, which lets you load unsigned drivers into the Vista kernel.

Microsoft didn't comment on this directly, but their PR agency said that the update doesn't have anything to do with Purple Pill.

This update is a defense-in-depth change that builds additional checks into KPP for increased reliability, performance, and security. Although the update will enhance security within the kernel, this is not a vulnerability-related issue.

Noted Windows kernel hacker Skywing, AKA Ken Johnson, has a pretty good grasp on the changes. He told me:

"The patch essentially introduces PatchGuard v3 - it alters the obfuscation mechanisms already existing in v2 and introduces some new tricks in an attempt to defeat any code floating around out there which is designed to bypass PatchGuard v2.

In other words, the update changes PatchGuard so that the old ways of bypassing it won't work until they are updated to cope with the additional changes that PatchGuard v3 brings to the table. It appears primarily geared towards making PatchGuard less easy to bypass from a third party driver perspective, much like how PatchGuard v2 was an incremental improvement over PatchGuard v1. There are some additional internal kernel variables that are now protected by PatchGuard v3 (but weren't guarded by PatchGuard v2), likely in an attempt to close loopholes that could have been used to either disable PatchGuard v2 or ignore it completely by altering things that it did not protect in the first place.

BTW, PatchGuard v3 has been out in Windows Server 2008 at least since the Beta 3 timeframe, and it was also made publicly available for Vista alongside with the KB938979 update for Vista on August 7 or so when ntoskrnl.exe was first updated since RTM in a publicly available hotfix. This "advisory" is just publicly announcing the new PatchGuard revision and pushing it out via Windows Update to everyone (such as Vista x64 users who hadn't installed KB938979, or Windows Server 2003 x64 users for which there hasn't yet been a public hotfix that PatchGuard v3 piggy-backed along yet to my knowledge)."

So does that mean we'll be seeing another PatchGuard update to fix Purple Pill or Atsiv? It's not clear to me what Microsoft could do here. As I understand it, both of these tools used legitimate driver certificates to get their unsigned drivers into the kernel. Atsiv used a certificate that has since been revoked, and Purple Pill used a buggy ATI driver that has now been patched, and which will soon be delivered by Windows Update, according to Microsoft PR.

All this effort may be in vain, however, according to eEye's Marc Maiffret, who thinks that this is just an arms race that will go on and on. He calls all the kernel protection effort "time wasted," by Microsoft.

The pain that Microsoft has put developers through in creating/signing all drivers and related does not equal the real threat posed by people loading malicious driver files. You will always be able to circumvent any built-in protection and trojan systems. Microsoft is just creating yet another arms race in going back and forth with researchers breaking their kernel protection, and them adding more protection. But none of that matters as long as the core problem exists, that Microsoft still continues to make vulnerable software which allows bad guys to target Windows systems and steal data, and that has nothing to do with kernel or otherwise.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?