Menu
Microsoft denies PatchGuard update, kernel hacks link

Microsoft denies PatchGuard update, kernel hacks link

Just a coincidence that kernel protection beefed up after attacks disclosed

Tuesday's update to Windows Vista's PatchGuard, a kernel protection scheme designed to keep malicious or unproven code at arm's length, had nothing to do with recent hacks of another Vista defense, Microsoft said Thursday.

The update to Kernel Patch Protection (KPP), also known as PatchGuard, was issued Tuesday to Vista 64-bit users, but the description of the enhancement was inscrutable. All Microsoft said at the time was "this update adds checks to this protection for increased resiliency in Windows."

Third-party researchers filled the vacuum with speculation about the update's purpose, with much of that speculation centered on a possible connection between the update and multiple disclosures that Vista's kernel code signing defense -- another barrier Microsoft set up to protect the kernel, but separate from PatchGuard -- could be easily circumvented. Among the end-arounds was a utility written by Alex Ionescu, a Canadian college student interning this summer at Apple. Ionescu's "Purple Pill" used a flawed, but legitimate and signed ATI Technologies video driver, to slip unsigned code past Vista's protection.

When asked to divine the update's intent, Ollie Whitehouse, a Symantec researcher tracking Vista kernel signing, said he believed Microsoft was reacting to the code-signing evasions by toughening up PatchGuard. "It looks like they are trying to make it harder to do anything malicious once you've exploited vulnerabilities which allow code to be executed in the kernel, such as the ATI driver," Whitehouse said Tuesday.

Microsoft claimed that wasn't the case. "These are unrelated events," said Russ Humphries, a senior product manager on the Vista team in a posting to the group's blog Thursday. "Perhaps the mix up is due to a confluence of events, or -- put another way -- the fact that we released an update to KPP at the same time that news about an ATI driver issue appeared," Humphries continued. "The update to KPP has no relationship to the ATI driver issue or recent topics related to code signing."

Others in the company pointed out Wednesday that PatchGuard, or KPP, has been updated before. During Microsoft's monthly post-patch webcast Wednesday, Mike Reavy, a program manager with the Microsoft Security Response Center, said: "It's normal for us to update KPP on an ongoing basis. This is the second type of update we've released."

For his part, Ionescu agreed that his utility and the PatchGuard update were not conjoined. "They're not related," he said Wednesday. "The PatchGuard patch was gonna come out either way."


Follow Us

Join the newsletter!

Error: Please check your email address.
Show Comments