Open season for Vista

Before its official release, Windows Vista is under serious fire from security firms and researchers. NME gives a roundup of the latest arguments.

  • E-Mail
By  Eliot Beer Published  October 30, 2006

|~|windowshoot200.jpg|~||~|It is tempting, on some select occasions, to feel a measure of sympathy for embattled Microsoft. This last month has been a particularly busy one for the software giant, with security at the top of the list of issues – a not uncommon occurrence. The two battlegrounds for Microsoft centred around two of its most high-profile releases – Internet Explorer 7 (IE7) and Windows Vista. The release of IE7 was always going to see a scramble to find the first security hole – the scalp was definitively taken by Secunia, one week after the browser’s release. The bigger conflict last month, though, was between Microsoft and several of the largest security vendors. The issue: Patchguard, Windows Vista’s bid to keep all external software out of its kernel. As security software commonly relies on access to the kernel to keep control of what other software on the system is doing – a vital plank of many protection strategies. McAfee fired the opening salvo, in the form of a full-page advert in the London Financial Times last month; this took the form of an open letter to computer users everywhere, warning them that Vista would not be as secure as their current OS. The vendor accuses Microsoft of shutting out third-party security providers to further its own security service ambitions. “Microsoft is being completely unrealistic if, by locking security companies out of the kernel, it thinks hackers won’t crack Vista’s kernel. In fact, they already have,” said the advert in part. Other comments included: “At the same time [as shutting of access to the kernel], Microsoft has firmly embedded its own Windows Security Center - a product that cannot be disabled even when the user purchases an alternative security solution. This approach results in confusion for customers and prevents genuine freedom of choice.” McAfee’s letter followed on from comments in the same vein from security software leader Symantec that Microsoft was being unforthcoming in releasing API information about Windows Defender, a MS anti-spyware system. Microsoft was quick to counter these claims, saying: “Partners are at the core of Microsoft's business model. We have worked closely with our security partners throughout the development of Windows Vista, and continue to do so.” The Redmond giant then promised to release more details about how third parties could interact with Vista, only to be criticised by McAfee and Symantec as offering too little, too late. Only to complicate matters, other security vendors then waded into the debate; Kaspersky said it never had any problems with Microsoft’s security methods around Vista; meanwhile Sophos accused McAfee and Symantec of poor preparation for Vista. The issue at hand will only affect the 64-bit version of Vista – home users and SMBs are likely to remain untroubled by the furore. But enterprises will be looking at deploying the new high-end OS, and will have to factor security concerns into any purchase. Over the summer security researcher Joanna Rutkowska of Coseing demonstrated a way to inject malicious code into the 64-bit kernel, bypassing Patchguard – a system which is designed to turn the kernel into an effective ‘black box’ to external applications. Microsoft has issued a fix for this flaw, but Rutkowska has dismissed this as flawed. “Microsoft actually decided to ignore those suggestions and implemented the easiest solution, ignoring the fact that it really doesn’t solve the problem,” she commented on her blog, before adding: “But even that all being said, I still think that PG is actually a very good idea. PG should not be thought as of a direct security feature. “PG’s main task is to keep legal programs from acting like popular rootkits. Keeping malware away is not its main task. However, by ensuring that legal applications do not introduce rootkit-like tricks, PG makes it easier and more effective to create robust malware detection tools.”||**||

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code