Authentium: Vista kernel cracked

updated | Some security ISVs such as McAfee and Symantec have been fighting for Microsoft to give them access to 64-bit Vista's kernel so the OS won't reject their security wares.

Security vendor Authentium is taking a different approach: It's found a way to simply bypass PatchGuard, the mechanism intended to prevent software from accessing the Vista kernel, according to reports.

Authentium's CTO Helmuth Feericks told Reuters last week that his company "had figured out a way to turn off PatchGuard protection, install its own software, and then turn it back on."

That technology has made its way into Authentium's ESP Enterprise Platform, according to PC Magazine. ESP includes virus protection, antispyware, data recovery, personal firewall, parental controls, popup blocker, and transaction security modules.

An Authentium Virus Blog entry written Oct. 20 says the following:

"The promises Microsoft has made about PatchGuard do not solve any problems for us and by the time they deliver will not be of any use to us. This is assuming that if they deliver something to help anybody, it will actually be something useable. It will allow an unfair advantage to Microsoft when competing with the security vendors as they can and will most likely bypass Patchguard for their own products and will not allow their competition to do the same."

(The entry doesn't mention Athentium's claim that it has bypassed PatchGuard, but it does refer to a non-disclosure agreement with Microsoft. Presumably, said NDA has expired, been broken, or else there's more to be revealed.)

If Authentium's claims are to be believed, it's not a good sign for Redmond, which has gone to great lengths to tout Vista's security in the hopes of putting Windows's tainted security record behind it. If the company has managed to tiptoe around PatchGuard so soon, clever hackers should be able to as well.

In fact, according to a recent entry in Symantec's Security Response Weblog by Oliver Friedrichs, director of emerging technologies in Symantec Security Response: "... [H]ackers have already broken PatchGuard and can disable it. This means that hackers can already get malicious code into the Windows Vista kernel; while legitimate security vendors can no longer protect it. This presents a serious new risk for consumers and enterprises worldwide."

Friedrichs goes on to say, "... [I]f hackers can bypass PatchGuard, why don't security vendors? We certainly could, if we chose to; however, Microsoft has firmly stated that any attempt to do so will result in an update to PatchGuard, which will detect these attempts. It would be foolish for Symantec to ship a product out to over 200 million desktops that may result in a BSOD on each desktop, if Microsoft decides to update PatchGuard."