Security vendors see danger in Microsoft PatchGuard

Microsoft's decision to stop security vendors accessing the Windows Vista kernel may weaken firms' protection

Security vendors last week urged Microsoft to reconsider its decision to prevent their developers gaining access to the 64bit Windows Vista kernel. They said that without such access many enterprise security products may offer reduced functionality, exposing users of the forthcoming operating system.

Microsoft's PatchGuard is designed to help block rootkits by monitoring the kernel and stopping unauthorised changes. But it also excludes the independent security vendors, who rely on access to the kernel data and services.

"Trying to put the core of the OS into a locked box is a great idea but it creates a scenario where a hacker can break in – which has already happened – but we can't interact with the core to provide the latest solutions," said Cris Paden of security vendor Symantec. "It's tying the hands of enterprise customers."

Mike Dalton, European president at security vendor McAfee, said his firm's intrusion-prevention functionality relies “on seeing what goes on in the kernel ", so Microsoft’s decision could expose McAfee customers to threats such as mass mailer viruses.

"This is reducing choice for corporates and putting them at risk,” said Dalton. “We'd argue that XP is more secure operating system than Vista at this time."

Microsoft has already allowed third-party vendors to turn off the Vista firewall, and has agreed to give them the ability to interoperate with the Vista Defender anti-spyware tool. Vendors argued that a similar compromise could be easily achieved with the Vista kernel.

David Bradshaw of analyst Ovum said that Microsoft was trying to rectify past mistakes and there would inevitably be conflict with third-party vendors who have "been making money out of Microsoft faults for years".

"But it's not directly in Microsoft's interest to deprive the security vendors of their business – security is a tiny line of business for Microsoft," said Bradshaw. "Some would argue the security vendors were effectively putting in rootkits, so if this forces them to do something different then that may be no bad thing."

Microsoft said it made the decision in response to customer feedback to improve security, stability and reliability, and added that its own developers were bound by the same requirements as external vendors.

"Microsoft has worked cooperatively with vendors for several years trying to define the appropriate kernel security interfaces so that we could make the changes necessary to offer a cleaner, consistent and more reliable access to the kernel than vendors used in the past," said a Microsoft spokesman. "With Windows Vista, we are now at a release where we have those interfaces built in, and we’ve been working with vendors to help transition to using the new programmatic interfaces."

But McAfee's Dalton argued that Microsoft is creating a "security monoculture ", which will stifle innovation in the industry. Earlier this month an EU Commission spokesman on competition also warned that diversity and innovation could be threatened if Microsoft does not allow other security vendors “a level playing field”.