funsec mailing list archives

Re: Security Vendor Bypasses Microsoft's Vista PatchGuard

From: "Fergie" <fergdawg () netzero net>
Date: Wed, 25 Oct 2006 20:15:22 GMT

Well, here's the latest, via eWeek.

[snip]

Microsoft officials say they are unhappy that security software maker
Authentium has decided to bypass the controversial PatchGuard kernel
protection feature in its next-generation Vista operating system, and
said that the tactic could lead to eventual problems for users of the
company's software.

Responding to Authentium's move to circumvent PatchGuard in its
products, company officials said that the decision to hack the feature
could prove unwise for the security vendor as Microsoft will work to
close off any flaws that allow unauthorized kernel interaction, making
technologies dependent on such access obsolete.

As a result, users of applications that circumvent PatchGuard could
find themselves unprotected from attack, or dealing with other problems
driven by a lack of authorized integration between Vista and those
products.

[snip]

More:
http://www.eweek.com/article2/0,1759,2037052,00.asp

- ferg



-- "Dude VanWinkle" <dudevanwinkle () gmail com> wrote:

On 10/25/06, Blue Boar <BlueBoar () thievco com> wrote:

Dude VanWinkle wrote:

How come sophos isnt concerned about not having access to the kernel?


It appears that their product doesn't rely on kernel hooks, and so they
are capitalizing on that for their marketing.  Symantec broken?  No
problem!  Just buy our stuff instead...

Based on Sophos' description, they do static analysis at load time for
their hips functionality.
http://www.sophos.com/pressoffice/news/articles/2006/10/sophos-vista.html


Sounds to me like Sophos has a point, even if its made for marketing
purposes. Patchguard, while not stopping the most wily attackers,
would stop the rootkits that are available today from being a valid
payload.

Isnt that worth something?

-JP


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspot.com/


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

Re: Security Vendor Bypasses Microsoft's Vista PatchGuard, (continued)
- - - Re: Security Vendor Bypasses Microsoft's Vista PatchGuard Blue Boar (Oct 25)
    - Re: Security Vendor Bypasses Microsoft's Vista PatchGuard Drsolly (Oct 25)
    - RE: Security Vendor Bypasses Microsoft's Vista PatchGuard Larry Seltzer (Oct 25)
    - Re: Security Vendor Bypasses Microsoft's Vista PatchGuard Blue Boar (Oct 25)
    - Re: Security Vendor Bypasses Microsoft's Vista PatchGuard Blue Boar (Oct 25)
    - Re: Security Vendor Bypasses Microsoft's Vista PatchGuard Dude VanWinkle (Oct 25)
    - Re: Security Vendor Bypasses Microsoft's Vista PatchGuard Blue Boar (Oct 25)
    - Re: Security Vendor Bypasses Microsoft's Vista PatchGuard Nick FitzGerald (Oct 25)
    - Re: Security Vendor Bypasses Microsoft's Vista PatchGuard Dude VanWinkle (Oct 25)
    - Re: Security Vendor Bypasses Microsoft's Vista PatchGuard Nick FitzGerald (Oct 25)
- Re: Security Vendor Bypasses Microsoft's Vista PatchGuard Fergie (Oct 25)
  - Re: Security Vendor Bypasses Microsoft's Vista PatchGuard Blue Boar (Oct 25)
  - Re: Security Vendor Bypasses Microsoft's Vista PatchGuard Ron Bowes (Oct 25)