| By Woody Leonhard |
When Microsoft announced it was entering the antivirus biz, the usual nattering nabobs of negativism moaned and groaned about unfair competition and unlevel playing fields.
But several recent events seem to confirm the worst: Microsoft may well be using its desktop monopoly to trump its AV competitors. What do you think?
The PowerPoint zero-day smoking gun
Before Microsoft started selling antivirus protection, the major antivirus companies (and many of the smaller ones) enjoyed more-or-less equal access to Microsoft’s top-secret AV information. When Microsoft found out about a new threat, the AV companies all heard about it at the same time. When MS figured out how certain types of malware worked, the AV companies learned about the holes quite quickly.
Then Microsoft announced that it would start competing in the antivirus arena with the product we now know as Windows Live OneCare. AV companies received assurances that the flow of information wouldn’t stop — that Microsoft wouldn’t use its special position as the provider of the operating system to take unfair advantage with their AV product.
On September 26, antivirus researchers at McAfee discovered a new zero-day PowerPoint exploit that goes by the unlikely name of CVE-2006-4694. Like so many other zero-day exploits, this nasty critter was discovered in the wild when it dropped a targeted Trojan that McAfee calls Exploit-PPT.d.
There’s just one little problem with Exploit-PPT.d. As McAfee antivirus researcher Craig Shmugar points out in his Sept. 26 blog entry, Microsoft already knew about this particular Trojan and, presumably, the zero-day exploit that delivers it. Craig shows a listing that seems to prove that Microsoft had not only identified the exploit, but had updated one of its scanners to detect the dropped trojan three days before McAfee found it. The Microsoft scanner, dated Sept. 23, identifies the trojan as Win32/Controlppt.X.
My friends in the antivirus community tell me that, as far as they know, Microsoft didn’t bother to mention this particular zero-day exploit, or the Trojan, to any other AV companies. Microsoft simply updated its own AV product and let its competitors pound sand.
Microsoft goes public after the fact
On Sept. 27, Microsoft finally fessed up to the zero-day hole, issuing security advisory 925984. That advisory not only lists PowerPoint 2000, 2002, and 2003 as being vulnerable, as McAfee had advised. It also lists two versions of PowerPoint for the Mac. Take a look at the advisory and tell me if it looks like it was thrown together in the 24 hours after McAfee posted its warning.
The advisory states that Microsoft is "actively sharing information with Microsoft Security Response Alliance partners so that their detection can be up to date to detect and remove attacks."
You might believe that statement, but I doubt Craig Shmugar does.
The security advisory also says, "Microsoft has added detection to the Windows Live OneCare safety scanner for up-to-date removal of malicious software that attempts to exploit this vulnerability." Being the inquisitive cuss that I am, I decided to take a look at the safety scanner and see what I could find.
Windows Live OneCare Safety Center revisited
In the June 29 and July 13 paid issues of this newsletter, I talked about a remarkable, free, online antivirus scanner from Microsoft called the Windows Live Safety Center. My conjecture then, as now, is that the free Live Safety Center primarily exists to let Microsoft off the antitrust hook: Microsoft sticks antivirus detection updates in the (free) Live Safety Center before they update the (paid) Windows Live OneCare. That way, when a politician or competitor claims that Microsoft has tilted the AV playing field in its favor, Microsoft can point to the Live Safety Center and say, "But we made the fix available, free, days (or hours or weeks) before we put it in Live OneCare."
When I wrote back then about Windows Live Safety Center, it was a slow, bloated, poorly-documented and nearly unknown service with one single design objective: to keep Microsoft out of court on antitrust charges. In mid-August, the folks in Redmond morphed the Live Safety Center into the "Windows Live OneCare safety scanner." (Note the lower-case "s"es.) The new incarnation presents itself as a slow, bloated, poorly-documented and nearly unknown service acting primarily as an advertising come-on to get people to sign up for the $50/year Windows Live OneCare.
See the difference?
The new Web site for the safety scanner leaves much to be desired. The "Top threats" that are listed all date back to May and June 2006. We’ve seen, ahem, a few threats since then.
When I tried to look up the Win32/Controlppt.X trojan, the one dropped by this new zero-day PowerPoint exploit, there was no match. When I searched for Win32/Controlppt, without the .X, I got 24 hits (including three duplicates). All of them advised, "This software threat is detected by the Microsoft antivirus engine. Technical details are not currently available for this threat." So I have no idea whether or not the Windows Live OneCare safety scanner actually removes the malware.
I asked Microsoft to comment on the current dismal state of Windows OneCare safety scanner affairs, and was told by a spokeswoman, "We are unable to participate in this particular opportunity at this time."
The Vista kernel lockout and beyond
Elsewhere in this issue of the Windows Secrets Newsletter, my co-contributing editor Ryan Russell (below) talks about Microsoft’s ongoing efforts to keep antivirus products out of Windows Vista’s kernel. Ryan’s observations, and particularly his conclusions, speak for themselves.
Microsoft has released a white paper called Microsoft Windows Vista: An Inflection Point for Kernel Security and 64-Bit Computing that deals with the controversy. I’ve gone over that paper, forwards and backwards. Aside from a few marketing platitudes, I didn’t see anything worthwhile.
At its core, Microsoft is stuck between a rock and a hard place. If Microsoft builds hooks into Vista’s kernel so antivirus products can get in, the bad guys will no doubt figure out a way to use the hooks. But if Microsoft lets legitimate AV companies into the kernel using, say, the method that MS employed for its own firewall, the ‘Softies will be put in the unfortunate position as gatekeepers over a potentially messy mob of programs that want to get in.
Microsoft has to provide some way for AV and firewall manufacturers to intercept traffic coming into and going out of your PC. The white paper says that will be accomplished with the “Windows Filtering Platform” — but gives no details about what that entails, or how it will work. What (or who) is going to keep the bad guys from using WFP?
Most troubling of all: the “hypervisor” situation, where a properly constructed hypervisor rootkit could run with absolutely no hope of detection. (Hypervisors use hardware virtualization to run outside the operating system: Blue Pill’s demo at the 2006 Black Hat conference took advantage of a hypervisor hole.) The white paper says, “Microsoft is actively building a hypervisor solution.” The guys in white hats are waiting with bated breath — and faint hope.
If Microsoft holds the keys, how do small companies and startups get in? And… who voted for Microsoft in the first place, eh?
Antitrust abuses or unfortunate oversights?
Many of you will look at the events I’ve described and shrug them off — a notification oversight here, a bit of sloppy Web site updating there, with an unfortunate kernel conundrum thrown in for good measure. But I, for one, am getting more and more uneasy about Microsoft leveraging its monopoly in operating systems to unfairly compete with antivirus, antispyware, antiscum, and firewall manufacturers.
It currently appears as if the US Department of Justice is going to roll over and play dead. At least, if there are any rumblings at DOJ, I certainly haven’t heard them. Whether the EU will take it lying down remains to be seen. There’s more than a little irony in the thought that the European Union may represent Americans’ best hope for consumer protection.
This much I know for sure: If you’re paying Microsoft to protect your computer, you’re part of the problem, not part of the solution.
Woody Leonhard‘s Web site posts MS-DEFCON reliability ratings for Microsoft patches. His recent books include Windows XP Hacks & Mods For Dummies.