Could It Be Any More DEPressing?

Year of December 31, 2005

Yes it could - you could be one of those miserable slobs still running Windows.

The only known way out of the current Windows WMF dilemma is with something known as 'DEP'. It doesn't matter what this supposedly impressive acronym stands for, but it does matter what it does and how it works.

DEP is supposed to stop execution of Windows code from memory areas not marked for execution. If you were running Windows right now (which would be inadvisable) and if you had a copy of the XPT and fired up Memview through X-tool, then you could see how virtual memory on Windows is laid out.

You can get a rough idea by accessing the blurb page for Memview here. In particular look for the line:

• PAGE_EXECUTE. The page can be executed (you can't just jump to any old address in XP).

Theoretically a page (a section of virtual memory which at any time can be swapped into physical RAM along with its attributes) has to be marked with this attribute for Windows to execute it. That's the idea at any rate.

It turns out that this strict rule doesn't apply all that well.

When Microsoft came out with their XP Service Pack 2 with 'advanced security technologies' [sic] they added both hardware and software DEP to their system. And the first question from an astute reader might be:

If a page is not marked with PAGE_EXECUTE, how can rogue code residing on such a page ever run?

To which the Microsoft PR department are likely to respond:

Good question! Next question?

And so today Microsoft have 'DEP'.

The Windows WMF attack relies on being able to execute code in areas not marked with PAGE_EXECUTE - after all, the attack vector is in a graphics file. But such is the sloppiness of Microsoft. It's unlikely they will ever reveal how they screwed things up to allow callbacks into data that's not supposed to be 'run', but it's a certainty they figured out one whale of a hack here.

So much so that their own 'software' DEP with their SP2's 'advanced security technologies' [sic] can't stop the script kiddies worldwide who are now reaping the benefits of everyone else's bankbooks.

No, the only known way to stop the WMF exploit - and it's not a sure thing at all - is through 'hardware' DEP.

What's the difference between software and hardware DEP? Easy. Software DEP relies on Microsoft doing the right thing - which as everyone knows is never going to happen. They're supposed to stop rogue code, but they were supposed to yesterday as well and didn't do it. In fact, they probably had to write a workaround to open up the hole.

Hardware DEP is at processor level. That means very simply that it's the CPU (AMD, Intel) that is responsible for disallowing rogue code to run.

Which it can do - provided it's been enhanced with this capability. And some enhanced CPUs for some Windows machines seem to be able to block the WMF attack; whilst others which should be able to block it cannot.

At any rate, things could hardly be more DEPressing: once again we see Microsoft running to others in the industry to solve their security issues for them. Not long ago Bill Gates was pressuring backbone providers to beef up security so his poor Windows machines wouldn't get hit all the time. Obviously the idea of just building a secure system himself is something he regards as anathema.

And so we have it again: Microsoft cannot and will not provide their customers with anything approaching adequate security. They're way too stupid to either design secure systems or write even minimally acceptable code.

No, they're using - and will continue to use - their market bully status to pressure others to do their job for them.

'DEP' stands for 'data execution prevention'. Do you feel better now?