• Vista Wallpapers
• Windows Wallpapers

The address of the PDF white paper entitled "Bypassing PatchGuard on Windows x64" -- which was released in December 2005 and has since acquired a modicum of fame and respect -- is located in Symantec's 16-page analysis of Microsoft's security technologies, in a footnote to this sentence: "As demonstrated during the development process of Windows Vista and during its release, hackers can and will subvert PatchGuard."

One of the linked paper's authors, however - a professional developer and Microsoft MVP named Ken Johnson, using the handle Skywing - is certainly no "hacker" by the more negative connotation, working for a company that produces virtual private network software for Windows, and performing legitimate reverse engineering as a hobby. Johnson originally co-authored the thoughtful and well-researched paper as a wake-up call for Microsoft well prior to Vista's release.

"In the interest of not identifying a problem without also proposing a solution," Johnson and his co-author wrote in the paper's conclusion, "each bypass technique [presented here] has an associated list of ways in which the technique could be mitigated by Microsoft in the future."

Symantec's reference to Johnson's work comes by way of a newly refreshed indictment of Microsoft's PatchGuard technology, whose intention in 64-bit Vista is to disable unauthenticated programs from direct access to the system kernel. While such technology was designed to disable rootkits, it also prevents anti-virus programs including Symantec's and McAfee's from being able to detect when other unauthorized programs are attempting to bypass the system, whether or not such attempts would be successful if left unmonitored.

In its white paper, Symantec lumped PatchGuard together with two other Microsoft technologies formally adopted by Vista: code integrity for ensuring the legitimacy of installed executables by means of hash signatures of their binary contents, and driver signing for verifying the authenticity of low-level programs written by third parties.

"The kernel integrity protection mechanisms that are present on 64-bit Windows Vista can only be described as a bump in the road," Symantec's paper suggests. "That is, while these technologies may slow down an attacker, they may not provide a meaningful defense against a determined one."

Researchers for Symantec's paper analyzed all three 64-bit Vista security innovations, and came to a dire conclusion: "Results have shown that all three technologies can be permanently disabled and removed from Windows Vista after approximately one man-week of effort. A potential victim need make only one mistake to become infected by a threat that does the same."

But as if that didn't say enough, the paper then makes a very sweeping and potentially unsubstantiated claim: that all three technologies are left capable of being "stripped from Windows Vista in their entirety." Later in the paper, Symantec did demonstrate how a group policy object editor can be used (by design) to turn off a different Vista security feature, User Account Control - which stops the system and notifies users whenever a system-changing event is about to occur. Many security firms, among others, have touted UAC as more likely to be seen as an annoyance than a feature by users, probably likely to be turned off anyway.

Symantec advises against doing so, however, and in its paper's conclusion gently admonishes users at large for even thinking about such things - even when someone else puts the idea in their heads. "Symantec continues to see the user as the weakest link," the paper concludes, "as social engineering attacks become more elaborate in order to undermine the security technologies within Windows Vista."