funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Security Vendor Bypasses Microsoft's Vista PatchGuard

From: "Dude VanWinkle" <dudevanwinkle () gmail com>
Date: Wed, 25 Oct 2006 13:08:58 -0400
On 10/25/06, Blue Boar <BlueBoar () thievco com> wrote:

Dude VanWinkle wrote:
> Err, this was a security company, not necessarily "the bad guys", but
> I get your point, i think.. correct me if I am wrong, but here is this
> issue:

No, these bad guys are unspecified bad guys.

>
> The bad guys will always be able to find another hole. It doesnt
> matter to them if the hole is later patched, as they only need their
> software to install once.

They don't care if they just rendered your copy of Vista unstable,
unsupported, or break random things.

>
> AV and other security vendors will have to either: find several
> security holes that allow you to inject code into the kernel, not
> report them to MS, and then switch to one of the other hypothetical
> unreported method to load into ring0 as MS finds and patches the
> holes; or just hope that MS doesnt have any flaws in the patchguard
> technology, right?

If the security vendor decides to go that route, then they run the risk
of Microsoft refusing to support Vista if your software is installed,
and Microsoft might "randomly fix" your method of running in the kernel.
  Plus, by going the undocumented route, they probably do cause some
stability problems, but maybe no worse than what they do now.



How come sophos isnt concerned about not having access to the kernel?

-JP
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: