Virus expert: Vista's PatchGuard kernel protector will soon be cracked
Shortly after Microsoft releases the final version of Windows Vista, attackers may be able to bypass the PatchGuard kernel protection and infect systems with rootkits and other malware. At least, that was the expectation expressed by Aleksander Czarnowski from AVET in a speech at this year's Virus Bulletin Conference in Montréal. This is not to say that the attackers would try to hawk their abilities publicly. It's more likely that they would keep their knowledge under wraps and apply it discretely.
PatchGuard is intended to protect Vista's kernel against manipulation by malware. It's relatively easy for rootkits to manipulate the Windows XP kernel to hide malware against access by antivirus software. PatchGuard will initially be available solely for the 64-bit version of Vista and only later for the 64-bit version of XP. Whether these versions will gain quick and wide acceptance is questionable, since few pieces of software can boast major benefits from them and not all drivers are available in 64-bit versions.
Microsoft nevertheless views PatchGuard as a high hurdle for potential attacks, but not something that makes them impossible. "On 32 bit systems its easy to access the kernel. We're trying to prevent that for Vista," writes Stephen Toulouse from Microsoft. Should tricks surface about how to circumvent PatchGuard, then software updates can always be released to thwart them, he indicates.
Although many security specialists have taken on the challenge, none has yet succeeded in bypassing PatchGuard in a beta version or a release candidate. To this point only Joanna Rutkowska has demonstrated a method for fooling Vista's kernel protection. And she did so not via PatchGuard, but using signed kernel drivers.
Symantec also made significant progress during its analysis of the beta version, but was forced to admit that most of the problems it discovered were already removed in later builds. In a full page ad in the Financial Times, McAfee complained that Microsoft is using PatchGuard to restrict the integration of third-party products.