More chairs fly over PatchGuard

TechWatch blogged about the three ring circus called “Vista PatchGuard” that popped up in the middle of the once staid security market in recent months. As I’m sure you know, vendors like Symantec and McAfee are none too happy about Microsoft’s kernel protection technology for 64 bit Windows Vista systems, claiming that it will prevent them from taking the steps necessary to detect and protect users from threats like rootkits. Microsoft has always said that it will work with third party vendors to extend the Vista kernel and enable alternative types of protections through APIs and other fixes, providing that PatchGuard remains in place. But with Gartner estimating that those kinds of extensions will take years to complete, security vendors aren’t anxious to wait around while Microsoft polishes its security lineup.

This week saw security vendor and Microsoft partner Authentium jump ship, announcing on Wednesday that a new technology the company will announce next month, VirtualATM, will allow them to circumvent PatchGuard and “hook” the Vista Kernel so that they can secure online banking transactions from Trojans, keyloggers and other types of malware.

The company toned down its language yesterday, with a new post that claims VirtualATM just adds a “complimentary” layer of security to PatchGuard, but doesn’t subvert it. Authentium implores Microsoft not to “go it alone.”

According to published reports, Microsoft plans to patch PatchGuard to prevent the VirtualATM hack, just as it patched Vista to prevent the “Blue Pill” hypervisor hack demonstrated by Joanna Rutkowsky at the Black Hat briefings conference. But with two PatchGuard patches out before Vista even hits the street, and hackers estimating that PatchGuard hacks will be available within months or a year of Vista’s public release, the whole argument for the technology — that it would make the kernel off limits to malicious code — seems to be turning into so much sand.

With blood in the water, even small fry are taking their licks at PatchGuard. Firewall vendor Agnitum is talking smack about PatchGuard today in their blog, and has referred to PatchGuard as Microsoft’s Maginot line. Not that the opinions of Agnitum count for much in the hallways of Redmond, but the allusion to France’s ill-fated series of static fortresses along the border with Germany that Hitler’s army easily circumvented in its invasion of the country. More than one security researcher has already admitted that, whatever its benefits, PatchGuard won’t be hack proof. Monumental security “fixes” like PatchGuard and the Maginot line only work for as long as it takes for some smart hacker to figure out a way around them, at which point they become a monument to fighting yesterday’s battles.