Microsoft will take years to open Vista kernel: analyst

Stan Beer
Friday, 20 October 2006 14:35

Your IT - Home IT

Regarding Patchguard, McDonald said in his note: "Contrary to some press reports, Microsoft will not offer a mechanism for deactivating PatchGuard or a trusted mechanism for "kernel hooking" (Windows system-call interception and kernel dispatch table modification). Microsoft has committed to work with ISVs to develop mutually acceptable mechanisms that will enable legitimate, trusted security software to interact with and control aspects of kernel operation — for example, process creation and termination, memory, anti-tampering and code-loading operations — via documented and supported application programming interfaces (APIs), implemented in much the same way as the Windows Filtering Platform framework. However, these APIs do not yet exist, and the changes will require changes to the 64-bit Windows kernel that will not be complete in time for the initial release of Vista. Moreover, any kernel changes may have a "ripple effect" up the software stack and will require retesting of all of Windows Vista applications. To avoid delaying Vista's release or removing the 64-bit version, Microsoft will work with ISVs to deliver initial capabilities and APIs in this area, which we expect in early 2008, when the first service pack for Vista (SP1) will likely be released, with more complex work and more APIs delivered with SP2 or later."

For security vendors, the news was a little better with respect to Windows Security Center: "The process itself cannot be deactivated, and Windows Security Center remains a single location where Microsoft and third-party security applications can query Vista's security status. The mechanism to disable Windows Security Center alerts must be architected — likely using signature-based technology — so that malicious software cannot deactivate it. Microsoft needs to work out an agreement with ISVs so that, when their software is uninstalled or switched off, Windows Security Center alerting is returned to its original state. These changes, which should be relatively straightforward, are expected to be included in the final version of Windows Vista released to manufacturing."

The upshot is that McAfee and Symantec will probably get their way with regards to Windows Security Center but will not be able to get access to the Vista 64-bit operating system kernel for at least 18 months.

A McAfee source told iTWire that it was possible that Microsoft already had anticipated in advance the necessary changes that would be required and had them ready to implement at a moment's notice. However, if Gartner's McDonald is correct, this is unlikely in the case of Patchguard because changes to the kernel would be required, which in turn would reqire retesting of all Vista applications.

Sentiment in the user community on this issue is by no means all anti-Microsoft. At least as many or more bloggers agree with Microsoft's view that locking the Vista kernel down and not giving third party security vendors access is desirable. There is a cynical perception among some bloggers that security vendors have no interest in seeing Vista being made more secure.