Over the past month or so, I have been amazed by the amount of speculation, strong assertions and outright misinformation that has been printed with respect to Kernel Patch Protection and the offical Application Programming Interfaces (APIs) into the kernel. Thankfully, Jim Allchin respond to this directly and clarified.
IMO, the lead messaging on this was driven by Symantec (e.g. Windows Vista Kernel Mode Security and the messaging that Symantec released with it.) For example, from this Symantec blog entry released to summarize the paper, we get these interesting quotes:
These new technologies, along with Microsoft’s unwillingness to make compromises in this area have serious implications for the security industry as a whole.
As a result, customers around the world will lose their ability to choose what security solutions they would like to run on their operating systems, and be forced to use only those solutions offered or allowed by Microsoft. A lack of choice for customers prevents them from having the widest variety of options for security solutions to quickly address a constantly evolving landscape of security threats. In the end, a less secure Internet will result and both consumers and enterprises will find themselves more vulnerable to cyber attack.
They weren’t alone though, McAfee took out a full page ad in the financial times to deliver this FUD-filled letter.
[NOTE: The below text is a corrected version. I originally mis-typed and said "...KPP only applies to 32-bit.." when I meant to say 64-bit.]
First, let’s clarify that KPP only applies to 64-bit Windows systems and so vendors can keep doing things the same old (bad) way on 32-bit Windows Vista. What percentage of new Vista systems shipped in the first year will be 32-bit rather than 64-bit? 90%? 75%? Maybe only 50%? I can’t say – but I tend to think it’ll be higher rather than lower. Let’s say 75% for the sake of argument. So, at least 75% of Windows Vista customers are not impacted by this “issue” at all.
Now, on 64-bit Windows Vista, there are some great interfaces for implementing both antivirus and firewalls that security vendors are using to implement solutions. Note that Trend, CA, and F-Secure are already on the Windows Vista Antivirus Partner page and when I look at the Trend description I note some key words (highlight mine):
Trend Micro’s new 14.57 release of PC-cillin Internet Security now makes all of these critical security features available for both the 32-bit and 64-bit versions of Microsoft’s latest operating system: Windows Vista™. This release also works with the Microsoft Windows Security Center, which you can use to check the status of PC-cillin Internet Security, as well as download updates, enable your firewall, and control your protection against viruses and spyware.
So, even on 64-bit Vista, customers are going to be able to have antivirus software if they want it. And honestly, Symantec has a product for Windows XP x64, so I’d be willing to bet they already have a working version for 64-bit Vista too, but it hasn’t been in their interest to publicize it.
Now, let me ask you a question – what other security software do you have installed other than antivirus? Antispyware? Windows Defender covers that, or alternatively, security vendors can disable Defender and their antispyware should work fine. What else? Firewall? Covered – third party interfaces for that.
What about behavior block / host protection? It’s been out a few years now, though I can honestly say I don’t have it installed on any of my work or home systems – do you? Well, security vendors should be able to port it to 32-bit Vista without issue. For 64-bit? Some things can be done with the existing APIs, but other things are going to require new APIs in order to be supported and more work may have to be done.
Of course, let’s not forget that Sophos say they’re offering full protection on Windows Vista 32 and 64-bit, including their innovations for behavior blocking.
So, to review, I am going to put some numbers on things that I think are reasonable approximations, or even a little generous towards 64-bit. These are a total guess, but as I say, I think they’re reasonable. If you dont’ agree, substitute your own numbers. Let me assume that:
- 75% of Windows Vista in year 1 will be 32-bit (no KPP, almost all traditional security products should be able to be ported and work)
- 25% of Windows Vista in year 1 will be 64-bit (may be a bit generous)
- 100% of the 64-bit systems will have antispyware protection
- 100% of the 64-bit systems *can* have antivirus protection, if the customer chooses. In fact, there are free offers listed here, plus the offer from Sophos.
- 100% of the 64-bit systems will have advanced inbound and outbound firewall protection
- 100% of the 64-bit systems will have the benefits of Kernel Patch Protection, ASLR, Hardware Data Execution Protection, Pointer obfuscation, UAC, C-“safe” libraries and runtime and the other SDL-process benefits that accrue to Windows Vista.
Any Behavior Blocking/HIPS software that depends on hooking the kernel will not work on 64-bit of course, but does that really support an assertion of “In the end, a less secure Internet will result and both consumers and enterprises will find themselves more vulnerable to cyber attack” ???
[NOTE: You don't like these numbers? Make your own assumptions and see how it comes out. Do you think it results in a less secure internet and customers finding themselves vulnerable to attack? And share your thinking with us, so we can all benefit from your thoughts and analysis.]
I don’t think so. But you know what? For that software that currently depends on hooking, you can bet that meetings have already happened with Windows Architects to try and define the next generation of documented APIs that will help them do their thing in a designed, defined and supported way…