Uninformed: Informative Information for the Uninformed

Vol 8» 2007.Sep


Although PatchGuard 3 does bring some pointed counter-attacks to many previously disclosed bypass techniques, version 3, like its predecessors, is hardly immune to being either disabled completely or simply co-existed with. It is likely that future revisions to PatchGuard will continue to be vulnerable to a variety of bypass techniques, though it is certain within Microsoft's reach to counter many of the publicly disclosed bypass vectors. It is anticipated by the author that until PatchGuard can be implemented with hardware support, such as via a combination of trusted boot (TPM) and a permanent hypervisor, future revisions will continue to be vulnerable to attack from determined individuals.

On the other hand, Microsoft's efforts with PatchGuard appear to have paid off so far in terms of preventing a mass-uptake of PatchGuard-violating drivers on Windows x64. In other words, a case could be made that Microsoft doesn't need to be perfect with PatchGuard, only "good enough" to give vendors cold feet about trying to ship products that bypass it. Only time will tell if this continues to remain the case into the future, however.