Time to stop the FUD on Kernel patch protection

[BigBoy]

Stepto on his blog (and for those that do not know, stepto is a senior product manager in the Vista Security Technology Unit at Microsoft.)

I?m tired of seeing people misrepresenting Kernel Patch Protection in the 64 bit version of Windows Vista. For those who don't know, this is the feature in our 64 bit operating systems that prevents *undocumented* and *unsupported* kernel interfaces from being used. So I looked at some myths that are being spread about it and tackled each one:

Then he goes into 6 myths and why they are wrong (read details at the source below):

Myth #1

Microsoft has always allowed and encouraged modifying the kernel of Windows.b>

Myth #2

For the first time, Microsoft is locking out people from writing to the Windows Kernel, and they are specifically locking security vendors out of the kernel to exclude competition.b>

Myth #3

Without full unsupported methods of modifying the kernel, Windows Vista will be less secure than any previous version because third parties cannot protect Windows users.b>

Myth #4

Microsoft is using flawed logic in thinking hackers will never break Kernel Patch protection. Hackers have already broken Kernel Patch Protection at a recent hacker conference in las vegas!b>

Myth #5

Microsoft owns the code. So they will silently bypass Kernel Patch Protection in their security products. b>

Myth #6 (they've really been busy spinning myths haven't they?)b>

Microsoft could easily grant exceptions to Kernel Patch Protection for known good software.b>

Source is here: http://www.stepto.com/default/log/displaylog1.aspx?ID=258

Who is stepto? Read this: http://www.stepto.com/default/about.aspx

Some really interesting stuff there... like - Kernel Patch protection has been shipped over 2 years ago and AV vendors have solutions that work there already (Windows XP and Server 2003 x64 edition)... Kernel Patch protection is implemented ONLY on 64 bit Vista, not 32 bit Vista... so this stuff about how it is locking them out is just BS.

Edited October 4, 2006 by BigBoy

[Andareed]

The real issue is with windows security center's lack of extensibility and its inability to be disabled.

[Brandon Live Veteran]

The real issue is with windows security center's lack of extensibility and its inability to be disabled.

Huh? Security Center can be extended and disabled...

[The_Decryptor Veteran]

The real issue is with windows security center's lack of extensibility and its inability to be disabled.

Symantec is upset they can't replace it with their own version (a good idea IMO, what's to stop a trojan putting it's own one there that says everything is ok?)

Security Center supports branding and such though (so it's very easy to say "Protected by Symantec" or whatever)

Microsoft is actually doing a good thing for once (normally they are stubborn over the wrong things)

[Andareed]

I can see only anti-virus, windows firewall, and windows defender listed in security center. Symantec and McAfee have a large collection of other programs (privacy guard, anti-spyware, spam-killer, etc... So they typically provide their own security centers to control all these apps. I don't believe windows security center offers the ability to add arbitrary security appliactions. Is it also possible to replace the entries for windows defender and firewall?

How can security center be disabled? Please, do tell, as this is one of the first things I do when I install Vista. Atm, I disable the security center service, but this leaves a red shield on the tray. How do I disable this?

Nothing stops anyone from adding a 3rd-party security center. The problem with this approach is that a user now sees 2 security centers, which is bad for user experience.