DEP in Windows hacked

I’m really sorry about the continuous Windows security reports but they just keep on coming so what else can I do…

Data Execution Prevention is a security tool that Microsoft added to all versions of Windows since XP SP2. It’s meant to address buffer overflows by working with the CPU to mark all memory locations in a process as non-executable unless it explicitly contains executable code. That way, even if there was a buffer overflow, the malicious code couldn’t run in whatever memory it happened to find itself.

Unfortunately, Berend-Jan Wever, aka “Skylined,” a Google security software engineer, using a variation of a hacking technique he helped perfect called heap-spraying has busted DEP. In heap-spraying, the attack code made an educated guess at where vulnerable memory that could be used to execute unapproved programs could be found. In Wever’s latest trick, the attacking code looks for clues on where to find memory that’s allowed by DEP to run programs. Once armed with this information, the attack code can then successfully plant itself in the system.

It seems possible that this technique can be used to defeat ASLR (address space layout randomization) which is another Microsoft security improvement.

So 2 of Microsoft’s most important security features in Windows seem to be vulnerable to attack. Makes me feel warm all over knowing I run Linux …

As an aside, I’ve just spent half the morning trying to clean 2 Windows machines for a client. These were riddled with viruses which self-replicated to all the network shares. And no, it wasn’t me who hooked them up to the network. I finally managed to get the machines clean and removed all the viruses from the Linux-based network shares using ClamAV. Of course the Linux server didn’t miss a beat.

Someone is getting an interesting invoice next week.