Symantec probes Vista's defences

In a third and final report on Windows Vista, Symantec examined the security of the operating system core and found some vulnerabilities.

Vista includes several barriers designed to prevent malicious code from gaining access to the operating system core or kernel. These enhancements are "quite substantial" and result in a "dramatic reduction" of the overall attack surface of the operating system, Symantec said in a report published on Tuesday.

Matthew Conover, principal security researcher at Symantec, wrote in the report entitled Assessment of Windows Vista Kernel-Mode Security: "However, we have identified certain weaknesses in the kernel enhancements that may be leveraged by malicious code to undermine these improvements."

Vista, slated to be broadly available in January, will be the first new version of Windows for PCs since XP, which was released in 2001. Microsoft has put a strong emphasis on security in Vista and promotes it as its most secure version of Windows yet.

Microsoft dismissed Symantec's report as old news, because the research is based on a Vista build released several months ago. A Microsoft representative said: "Microsoft has been progressing toward the final release of the product and has released subsequent builds that have addressed the majority of the issues identified in this report."

The Symantec report focuses on the 64-bit version of Vista, which has more kernel security features than the 32-bit version. Conover looked at build 5365 of Vista, released in April, for the report. "There have been security-related changes in subsequent builds, and we expect more changes up until the final release candidate," he noted.

In the report, Conover claims it is possible to circumvent several of the techniques Microsoft designed to protect the Vista core from malicious code. For example, the 'PatchGuard' feature that checks the integrity of key parts of the kernel code can be disabled, according to the report.

Also, an attacker could disable a mechanism to block unsigned driver software to run on Vista PCs by "patching" core operating system files, Conover wrote. Malicious drivers pose a serious threat because they run at a low level in the operating system. Last week another researcher attacked the same Vista security feature at the Black Hat event in Las Vegas.

Microsoft thanked Symantec for its feedback, even though the software giant called it "unusual for a partner to provide this amount of analysis and publish its findings on a beta version of Windows Vista".

Traditionally allies, Microsoft and Symantec are now going head-to-head in the security arena. In late May, Microsoft introduced Windows Live OneCare, a consumer security package, and the company is readying an enterprise product. Symantec has sued Microsoft, alleging misuse of data storage technology it licensed to the company.

Earlier Symantec reports on the Vista kernel looked at the networking stack and user account control features of Vista.

Joris Evers writes for CNET News.com