Researcher: PatchGuard hotfix stitches up benefit to Microsoft

Microsoft has come under fire for quietly releasing a fix to its controversial PatchGuard kernel protection software in order to improve the performance of its Virtual Server 2005 product.

PatchGuard is a much-touted security addition to Windows Vista that restricts access to the Windows kernel, making it harder for hackers to run nasty software such as rootkits. But it has also broken some legitimate software programs, leading to complaints from software vendors including Symantec and McAfee.

Microsoft beefed up PatchGuard, which also ships with 64-bit versions of Windows XP and Server 2003, last July, according to Stephen Toulouse, senior product manager with Microsoft's security technology group. But one of the changes Microsoft introduced at that time harmed the operating system's ability to take advantage of Advanced Micro Devices (AMD) virtualization technology. As a result, Virtual Server 2005 couldn't work properly on AMD systems. In September, Microsoft published a "hotfix" patch that corrected the problem.

Microsoft has rolled the fix into the 64-bit version of Vista, but the only place it has notified users of the hotfix is on a Virtual Server 2005 documentation page, prompting one security researcher to cry foul, and say that Microsoft has violated its own policy on making exceptions to PatchGuard's kernel restrictions, to the benefit of its own product.

Microsoft has had to be careful about permitting changes to PatchGuard, as any changes it makes to the software could possibly become a new avenue of attack for hackers. Initially, the software giant said it would not make any exceptions to PatchGuard's restrictions, but in September, security vendors asked Microsoft for a way to get around PatchGuard, arguing PatchGuard would ultimately make their software less secure.

After a warning from the European Commission, Microsoft eventually pledged to create a set of APIs (application programming interfaces) that would give the security vendors access to the kernel-level computing resources they require. Those APIs are expected to be included in the first service pack for Windows Vista.

But according to researcher Ken Johnson, who has published a paper on the new PatchGuard features, Microsoft violated its own rules by releasing the hotfix. Johnson, a developer with Positive Networks Inc., has researched the paper on his own time and published it under his hacker alias, Skywing.

"Microsoft's policy on PatchGuard is that if a driver's functionality is being blocked by PatchGuard, and there is no way to achieve that functionality with PatchGuard in place, then that functionality will be unsupported on Windows," Johnson wrote in an e-mail interview.

But Microsoft's PatchGuard policy has changed, although this did not happen until after it released the hotfix, according to Toulouse.