Security solution provider Agnitum claims that Microsoft's kernel patch protection will shut out competing products unless competitors resort to hacker tactics.
In an article posted to the company's Web site, Agnitum said that because of the way Microsoft designed its kernel patch protection "it will be more complicated for third-party security software companies to install and maintain their software on Windows PCs. In some circumstances, kernel patch protection may even block the installation of third-party security software."
The brunt of the complaint centers around the way some vendors hook into the kernel in order to gain enough control to defend the system against attacks. Agnitum said in order to protect a system developers sometimes resort to patching the kernel. Such a patch might involve changing a service number in the system's Service Dispatch Table so that it points to third-party code. Then when that particular service is called by a program the third-party code is invoked instead of the original kernel code.
But that method of hooking into the lower levels of the operating system won't be possible with the new kernel patch protection, which will be a standard feature of Windows Vista and the upcoming Longhorn server operating systems. Kernel patch protection was introduced with the release of Windows Server 2003 Service Pack 1 for x64 platforms and Windows XP x64 Edition.
According to Microsoft's documentation there is no way to disabled kernel patch protection on a system-wide basis nor for individual applications or drivers. The only way to disable it is to attach a debugger to the system. Microsoft expects developers to use its published application programming interfaces (APIs) in order to gain the functionality required for a given application. However, Agnitum claims that Microsoft's published APIs don't allow developers to gain preemptive on-the-fly control over low level system activity on systems that include kernel patch protection.
In closing its article Agnitum said that "Under Microsoft's proposed solution \[of using its published APIs\], a rootkit that could previously be detected by and remedied with anti-virus software will now cause the \[system to crash\]. The same result will occur after installation of security software that is not compatible with kernel patch protection technology. \[We\] believe this move by Microsoft is designed to force users to rely on Microsoft and only Microsoft for Windows security, removing the option to use third-party security solutions that, if past experience is anything to go by, are likely to be more robust and provide better protection than Microsoft offerings."
In its Kernel Patch Protection FAQ Microsoft said, "The primary motivation for implementing patch protection in Windows is to protect the integrity of the Windows kernel and, as a result, improve the overall reliability, performance, and security of Windows \[...\] Protecting the integrity of the kernel is one of the most fundamental steps in protecting the entire system from malicious attacks and from inadvertent reliability problems that result from patching. However, it is not a panacea."
Agnitum said that hackers already know how to go around the kernel patch protection and that legitimate software developers who formerly relied on kernel patching techniques might have to adopt hacker tactics in order to maintain the functionality of their software.