Executive from both Symantec and McAfee told SCMagazine.com this week that neither company has heard definitive word from Microsoft regarding the application programming interfaces (APIs) that the company told the press it will offer to third-party security vendors to access kernel code.
"It's an issue of ‘When are they going to do it?'" said Cris Paden, spokesperson for Symantec. "And that's what we're concerned about, because they haven't provided the security vendors with a specific timeline of when they're going to do that. And they haven't provided the technical information that we need to do that. So far all we've seen has been the announcements that have been (made to the) media."
George Heron, chief scientist for McAfee, said his company's experience mirrored that of its rivals at Symantec.
"Access to the kernel code is still a big mystery," Heron said. "We haven't heard anything from them regarding ways to work with or work around or otherwise collaborate with PatchGuard on the 64-bit systems, which is very worrisome to us."
Both companies reported, that Microsoft did provide technical information it promised them on Friday to aid them in turning off the new Windows Security Center feature when their software is running. But even the delivery of this information was a mixed blessing, said Paden.
"It looks like the information they sent to us will be helpful for that," he said. "But they've always had that information — it is something we should have had quite some time ago. But nonetheless later is better than never."
Heron said that the late delivery of the Windows Security Center and the lack of a time table to provide APIs into the kernel will only hamper user security.
"We think delivery of this kind of information and release like this at the 11th hour like this is really a bad practice," he said.
"Because it is going to be providing last minute types of adjustments such that you're only going to be hurting the user in the end, Microsoft ought to be thinking of the users and the impediment that they are providing to protecting the users."
Stephen Toulouse, senior product manager for Microsoft's Security Technology Unit, told SC Magazine earlier this week that while Microsoft will provide additional insight into the kernel code, they will not allow independent software vendors (ISVs) to modify code while still running.
"I want to be clear, when we look at what ways an ISV can modify the kernel today on a 32-bit platform, one of those ways is to modify the kernel while it is running, and that is what PatchGuard is meant to prevent — not just from an ISV perspective, but from a malicious software author perspective. That is still going to be true," said Toulouse.
Both Heron and Paden said that in addition to having no definitive data when their companies will receive the APIs, what they receive may not be sufficient to get the job done.
"I worry, because by offering up a token API to two or three is very likely not going to be enough," Heron said. "It might sounds OK to the public, but from a technical perspective, visibility through one peephole to the kernel is not going to suffice because malware has the tendency to hide in all of the dark corners of the basement of the operating system."
Paden did say, however, that the Friday announcement was at least an encouragement that a suitable resolution to the problem may be found.
"To be honest with you, we have guarded optimism that they are even holding these discussions to begin with," he said, "because for two years, they said they weren't going to compromise or do a thing with this."
Click here to email Ericka Chickowski.
Rivals not convinced of Microsoft's Vista offer
By Ericka Chickowski on Oct 19, 2006 7:00PM