There is an ongoing brouhaha between Microsoft and a couple of its partners in the Anti-Virus software space (notably, McAfee and Symantec). From the partners' perspectives, Microsoft's plans for the next versions of its flagship Operating Systems (Vista and Longhorn) will lock the partners out of the kernel and (to be brief) they argue that this will give Microsoft's own Anti-Virus and Anti-Malware products an unfair advantage over their products.
In the Partners' corner is the mighty European Union which had already found Microsoft guilty of numerous instances of giving itself unfair advantages in the past.
Microsoft has vociferously defended itself on many fronts, stating that the Partners are crying wolf where none exists. Microsoft's arguments to counter the Partners' complaints seem to rest on the following points:
· This is NOT a new change
· Microsoft has been actively engaging with the Partners throughout Vista and Longhorn's evolution and assisting them in understanding the change
· Only these 2 vociferous Partners seem to see any problem in this change; others (like Trend) are fine with it
· Lastly, Microsoft's AV product developers have THE SAME access to the OS Kernel as EVERY AV Partner. Nothing more. Microsoft is not in the habit of giving its product an unfair leg-up where the OS is concerned.
It is this last claim that I want to address in this write-up. I am not focusing on this last piece because I think other points do not merit discussion, rather I am doing so because I think it is a dubious claim at best, a false one (if one is not interested in being charitable to Microsoft) and it is such a ridiculous claim that should not have been made by anyone closely associated with Microsoft, given Microsoft's track record in this "Trust" business. Yet, it is a claim being made by knowledgeable people like Ben Fathi and Stephen Toulouse.
I will especially like to focus on Stephen's (Stepto) ridiculous attempt to float this punctured balloon in his article referenced above.
Let's see Stepto's Myth #5 from the said article:
Myth #5
Microsoft owns the code. So they will silently bypass Kernel Patch Protection in their security products.
According to Stepto: Wrong. Sounds like someone needs to read the Windows Principles. Our security software, or other software for that matter, is not going to bypass Kernel Patch Protection. Moreover, third party security vendors would be quick to point out such instances, due to their expertise in reverse engineering, but no such cases exist to point to. This is unfounded conjecture.
In Stepto's world, anyone who makes this claim is an ignoramus living in a bubble and possessing not an ounce of clue. Is that so? I wanted to step into Stepto's real world, just to be sure that I still have controls of my mental capacity. I went into System32 on my Windows Server 2003 SP1 machine and opened up DNSAPI.DLL in my favorite editor. I must still be in a funk because here's what I see:
- www.msdn.com
- msdn.com
- www.msn.com
- msn.com
- go.microsoft.com
- msdn.microsoft.com
- office.microsoft.com
- microsoftupdate.microsoft.com
- wustats.microsoft.com
- support.microsoft.com
- www.microsoft.com
- microsoft.com
- update.microsoft.com
- download.microsoft.com
- microsoftupdate.com
- windowsupdate.com
- windowsupdate.microsoft.com
If you don't know the significance of the above, please read my Arrogance of power ....or sheer stupidity
Why is this relevant? No real reason, except that it just simply deconstructs Stepto's and Fathi's (and all other Microsoft Evangelist's) claim that Microsoft is worthy of being taken at its words.
Let's see how much holes it blows into Stepto's attempts to deconstructed the so-called "Myth #5":
According to Stepto: someone needs to read "Windows Principles".
I agree, but Stepto's finger is pointed in the WRONG direction. He and his folks inside Microsoft need to urgently stop stomping on that document first before asking anyone else to take it seriously.
According to Stepto: third party security vendors would be quick to point out such instances.
Of course, they would. That is not the problem. The problem is that Microsoft can simply say "Bite Me!" and show everyone the middle finger, like they've been doing with their abuse of this DNSAPI shelter. So, what exactly is Stepto's point here? That Microsoft is afraid to be caught doing the wrong thing, when it has repeatedly shown that it is not afraid of being caught doing the wrong thing? This is supposed to compel us to "Trust" microsoft?
According to Stepto: but no such cases exist to point to.
Well, Stepto, I've got news for you.
Let's move onto Stepto's Myth #6 (they've really been busy spinning myths haven't they?)
Microsoft could easily grant exceptions to Kernel Patch Protection for known good software.
According to Stepto: Wrong.
OK, let's rewrite the above and see if Stepto will be able to agree:
Microsoft could easily grant exceptions to Patch Protection dnsapi.dll for known good software its own IMPORTANT URLs.
What say you now, Stepto?
According to Stepto: Here's the numerous problems with exceptions. First, you grant one, pretty soon you have to grant thousands.
I can't argue much with this. In fact, I am still waiting for when Microsoft will let me stuff my own set of known good URLs into dnsapi.dll so that I can be afforded the same level of protection. What's good for the goose.... you know?
According to Stepto: Second, the more exceptions you grant, the more you dilute the protection. Attackers will simply morph their attacks to try and mimic the "safelist" to get an exception.
Stepto is a very knowledgeable and influential technologist. People (me included) respect his opinions not just because he's articulate, but because he is smart, intelligent and knows his stuff as well. It warms my heart to know that I seem to be on the same wavelength with him on this point. So, let's ask him - is it trustworthy of Microsoft to pack dnsapi.dll with its list of URLs and "lock" others out? Is it wise to claim that this is being done for security when we know full well that a breach that can alter the hosts file will also be able to replace the dll?
According to Stepto: Fourth, by granting an exception list you introduce a huge performance problem into the kernel, as you force it to check a safelist with every single operation.
You mean much like we are doing with dnsapi, where we totally bypass the long-held tradition of making the hosts file the final arbiter in name resolution?
According to Stepto: Fifth, how would the logistics for adding and removing exceptions work? Would it only be done in software updates? Service Packs? Would someone sue because we weren't fast enough implementing them into a safelist?
Ha-ha! We've come to the "meat" of the discussion, if you will. Symantec and McAfee and others complaining today have seen what Microsoft is capable of doing. Microsoft has lost its claim to "Trust", not just in the public opinion forum, but also in the courts. The fact is that Microsoft can NOT accommodate every legitimate request from all parties concerned that their set of trusted URLs should be given the same protection as Microsoft's URLs in dnsapi. So, the only logical conclusion is that Microsoft did NOT have any intention of accommodating anybody's request to do so. Which leads us to conclude that Microsoft is unjustly using its ownership of the said dll to give itself an unfair advantage. The fact that Microsoft did this without publicly disclosing it shows that it couldn't be bothered with fair play. The fact that, Microsoft continues the practice without offering everyone else a chance to play shows that Microsoft does not care whether it is found to be playing unfairly or not.
A combination of the above shows that Microsoft is not deserving of the level of Trust Ben and Stephen and others are asking us to repose in it. Fool me once ….can’t fool me again. What makes Microsoft and its people think they can keep fooling us?