When it comes to securing its products, Microsoft cannot win. If it fails to defend and protect its products properly, Microsoft will be rightly pilloried by its users in the consumer and enterprise markets. if it improves the security of its products, bolstering their inherent defenses and strengthening their capabilities to withstand and repel malware attacks, security vendors will run to the government complaining about anticompetitive practices.
If I were Microsoft, I’d put customers first and third-party security vendors a distant second.
A case in point is the controversy that has ensued around Microsoft’s PatchGuard, which the company designed to protect Windows kernels, including the forthcoming Vista kernel, from malicious code attacks. PatchGuard is relevant only to 64-bit versions of Windows. It debuted last year in Windows XP x64 Edition, but it will become more prevalent as Vista gets rolled out commercially throughout 2007.
According to an informative article that appears on CNET’s News.com, the problem that security vendors have with PatchGuard is that, by design, it bars their host-based intrusion-prevention products from gaining access to the Windows kernel. Host-based intrusion prevention (HIPS) products are an emerging class of security software that examine a program’s behavior to determine whether it is malicious instead of employing the traditional signature-based approach (as used in antivirus software, for example), which checks a program against a database of known threats. To work effectively, security vendors argue, HIPS offerings require access to the operating-system core.
Understandably, Microsoft isn’t about to allow unrestricted access to the kernels of its 64-bit operating systems. At least a few security vendors, including Symantec, appear to understand Microsoft’s reasoning, which should be self-evident even to those with the most rudimentary comprehension of computer security.
Remarks Bruce McCorkendale, a chief engineer at Symantec:
There is definitely a legitimate need to lock down the kernel. I don’t suggest they eliminate PatchGuard. What I am asking for is an exception. There are less restrictive means available, and we have proposed many solutions to Microsoft. But it has fallen on deaf ears.
Microsoft, however, opposes the proposal to make exceptions. Says Stephen Toulouse, a program manager in Microsoft’s Security Technology Group:
When you get into the concept of exceptions, you get on a slippery slope. What made a lot of sense to us is simply to restrict the kernel without exception, creating a level playing field that all of the vendors, including Microsoft, can then operate by.
Now that makes sense, even though security vendors allege that malicious hackers can circumvent PatchGuard to breach the kernel today. The security vendors say they will have to adopt hacker tactics, finding mechanisms to bypass PatchGuard, to ensure that their intrusion-prevention offerings can work with and on Vista.
Interestingly, Vlad Gorelik, chief technology officer at host-based intrusion-prevenion vendor Sana Security, inadvertently makes a point I have on this forum previously. Gorelik notes that, with the advent of PatchGuard, Microsoft is effectively taking control of security for the Windows core. He points out that, in the past, third parties also provide defenses for the kerne. Now, he contends, if PatchGuard is circumvented or disabled somehow, it will be Microsoft’s obligation to repair the flaw and ensure that Windows PCs are secure.
Think about what he’s saying. Essentially, Gorelik is indignant that Microsoft has the temerity to secure its own products. I have news for Mr. Gorelik and all the other third-party security vendrors: That is what Microsoft should have been doing all along. An enormous third-party security industry never should have been allowed to grow in the shadow of Microsoft’s dereliction and neglect. It most definitely is Microsoft’s responsibility to defend and protect its software products from bugs, hackers, malware, and vulnerabilities. Third-party security firms do not possess a legal entitlement to make money from Microsoft’s negligence.
This is why I believe, as long as Microsoft effectively exclusively employs PatchGuard and secure coding practices to shield the Vista kernel, host-based intrusion prevention vendors will have no legitimate recourse to go running to the Justice Department and the European Union for punitive or regulatory intervention, which is precisely what they are threatening to do.
The issue here isn’t application software, such as Web browsers or preloaded media players; we’re talking about integral system security, the provision of which should be incumbent on the vendors that develop the operating system and the programs that run on them. Security is not a market just like any other; it’s a responsibility of the vendors who build the operating systems and applications that we use. If they fail, we might have to seek protection elsewhere, but the so-called security industry should not be sheltered and sustained by misguided judicial or legislative measures that compel a software vendor to leave gaping security holes in its products. The absurdity of such a situation, if it were to arise, should cause us all to wonder whether we’ve completely taken leave of our critical and logical faculties.
If Microsoft were to enter the market for host-based intrusion prevention, though, with a product benefiting from selective exceptions that allowed it to bypass PatchGuard to access the kernel, well, that would be a different story. If that were to happen, the third-party security vendors would have an ethical and legal case, and Microsoft should be punished and then compelled to provide similar PatchGuard exceptions to other HIPS vendors. However, as long as that is not the case, I don’t see why Microsoft should heed this irrational bleating.
If Microsoft has done anything wrong here, it might have failed to communicate its intentions clearly to the security-vendor community regarding PatchGuard and its kernel security, as Gartner analyst John Pescatore suggests. Perhaps the message could have been delivered earlier and more cogently. Other than that, though, Microsoft seems to be on solid ground.
By trying to make its products more secure, Microsoft is acting in enlightened self-interest. It realizes that security was a black eye for the company, a sign that it didn’t care what happened to its customers or their computers after they had forked over their money for Microsoft’s products.
That not-so-benign neglect caused Microsoft no end of censure, embarrassment, ridicule, and vituperation. The company deserved all the condemnation and disparagement it got. Now it’s stepping up to the plate, taking on the security challenge with measures that should have been in place from the beginning.
Microsoft finally understands, at least when it comes to software security, that customer satisfaction matters. If only some of the vendors in the security industry could espouse the same philosophy.