Microsoft KB Archive/889741

= Windows XP Service Pack 2 (Part 7): Protecting against buffer overflows =

Article ID: 889741

Article Last Modified on 2/6/2007

-

APPLIES TO

 Microsoft Windows XP Service Pack 2, when used with:  Microsoft Windows XP Home Edition

 Microsoft Windows XP Professional 

-



Important This article contains information that shows you how to help lower security settings or how to turn off security features on a computer. You can make these changes to work around a specific problem. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this workaround in your particular environment. If you implement this workaround, take any appropriate additional steps to help protect your system.



SUMMARY
This article is Part 7 of the Windows XP Service Pack 2 - Step by Step guide. This article describes how to protect against buffer overflows in Microsoft Windows XP Service Pack 2 (SP2).

To view the other articles in the Windows XP Service Pack 2 - Step by Step guide, see the Microsoft Knowledge Base articles that are listed in the &quot;References&quot; section.

The Windows XP Service Pack 2 - Step by Step guide includes the following topics: Part 1: Better security with Service Pack 2

Part 2: Installing Service Pack 2

Part 3: The new Security Center

Part 4: Automatic Updates

Part 5: Virus protection

Part 6: Windows Firewall

Part 7: Protecting against buffer overflows

Part 8: Improvements in Internet Explorer and Outlook Express

Part 9: Uninstalling Service Pack 2



Part 7: Protecting against buffer overflows
Buffer overflows are one of the most notorious forms of attack from the Internet. They rely on the simple fact that programmers may make errors when reserving disk space for variables.

This means, for example, that a user may subsequently enter data that contains many more characters than originally designated. The surrounding memory that has nothing to do with the variable may also be affected. Most of the time, the program will stop responding. However, an attacker may also exploit this vulnerability to gain control over the computer.



How does a buffer overflow work?
To correctly understand how a buffer overflow works, you will require some technical knowledge.

A computer has random access memory (RAM) that is shared by all programs. To make memory management easier, Windows XP SP2 has a feature that controls which segments of RAM are currently being used. If a program is started, free memory is allocated to that program.

This memory is divided into three segments:  Code segment

Program-specific executable commands are stored here.</li> Data segment

Program-specific data is stored here.</li> Stack (part of the data segment)

Everything relevant to program functions is stored here. This includes parameters, buffers for storing local variables and, most important, the return address. The return address specifies where the program will continue from after the function has been executed.



As information that is entered by a user is also registered as a variable, everything that a user types is sent to the stack. Generally, this behavior does not pose a problem. However, if the buffer limit is exceeded because of a programming error, the stack becomes easy to control. For example, if an attacker selects the appropriate entry for the attack, the whole segment that is designated for local variables may be overwritten with instructions. Additionally, the subsequent return address can be changed to point to malicious code. Therefore, the program no longer functions correctly, but blindly performs the attacker's commands.



</li></ul>

What does Data Execution Prevention do?
Data Execution Prevention (DEP) monitors programs to verify whether they are using system memory securely. To do this, DEP software, either alone or with compatible microprocessors, marks memory locations as &quot;non-executable.&quot; If an program tries to run a code (malicious or not) from one of these protected locations, DEP closes the program and notifies you by sending a warning message.

After you install Windows XP SP2, DEP is only enabled for necessary operating system programs and services because not all software programs run smoothly with DEP. To enhance security, you can turn on DEP for all programs and then define exceptions for individual programs and services.

How to enable DEP for all programs
<ol> Click Start, point to Control Panel, and then click System.



</li> Click the Advanced tab, and then click Settings under Performance.



</li> Click the Data Execution Prevention tab, select Turn on DEP for all programs and services except those I select, and then click OK.



</li> You must restart the computer for this change to take effect. Confirm your selections by clicking OK two times, and then restart the computer.</li></ol>

Defining exceptions
If certain programs cause problems, define them as exceptions. To do this, follow these steps:
 * 1) On the Data Execution Prevention tab, click Add.
 * 2) Search for and select the program file that you want to add as an exception, click Open, and then click OK.
 * 3) Click OK two times, and then restart the computer.

To disable Data Execution Prevention
Warning This workaround may make your computer or your network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk.

If the computer experiences problems with DEP, you can disable this function. To do this, you must modify the Boot.ini file as follows: <ol> You must first check your Folder Options. Click Start, click Control Panel, and then double-click Folder Options.



</li> Check that all folders and system files are displayed.



</li> Start the computer in safe mode. To do this, press the F8 key after the Power On Self Test (POST) is finished.</li> Use the arrow keys to select the Safe Mode option. Then, press ENTER.</li> Select the operating system you want to start, and then press ENTER.</li> Open My Computer, and then click drive C:\. Search for the Boot.ini file.</li> As a precaution, make a backup copy of the Boot.ini file. To do this, right-click the file, click Copy, right-click an empty area, and then click Paste.</li> Right-click the Boot.ini file, and then click Properties.



</li> <li>Click to clear Read-only, and then click OK.



</li> <li>Click Start, click Run, type notepad c:\boot.ini, and then click OK.



</li> <li>Change NoExecute=xxxxx to NoExecute=AlwaysOff.





</li> <li>Save the Boot.ini file, revert to read-only, and then restart the computer.</li></ol>

<div class="references_section">