Microsoft adds new security APIs to Vista, XP

Offers more flexibility to developers using 'no-execute' anti-exploit technologies

Microsoft has added new security-related APIs to upcoming service packs for Windows Vista and XP to expand the use of the anti-exploit technology dubbed Data Execution Prevention (DEP).

The new application programming interfaces (APIs) will be included with Vista Service Pack 1 (SP1), Windows XP SP3 and the brand-new Windows 2008 when those operating systems ship this quarter and next, said Michael Howard, a principal security program manager in Microsoft's security engineering and communications group.

According to Howard, one of Microsoft's resident security gurus and probably best known for co-authoring Writing Secure Code, the new APIs will allow more developers, particularly those still using older versions of ATL (Active Template Library), to call DEP in their apps.

DEP, which also goes by NX -- for No eXecute -- is a technology introduced by Microsoft in Windows XP SP2, and expanded in Vista and Server 2008. It's designed to stop some kinds of exploits -- buffer overflow attacks in the main -- by blocking code from executing in memory that's supposed to contain only data.

The new APIs can be used by developers working with the older ATL to enable DEP at runtime, or when the application actually launches. Previously, those programmers were forced to decide ahead of time whether their software would try to protect itself using DEP.

The most important of the new APIs is "SetProcessDEPPolicy," said Howard, which sets the DEP policy for the running process.

"When you link with the NX, it's cast in stone," explained Howard, referring to the use of ATL without the new APIs. "If you load a .dll that can't run correctly with DEP, it's not gonna work. With the new APIs, the cool thing is that you can have it in the configuration, so DEP is enabled by default -- so all the .dll [files] are protected." Those new APIs let the program opt in to DEP support when they're run, giving both developers and users more flexibility. Apps that rely on .dlls that won't work with DEP, perhaps because they're custom-created for the corporation and use -- right or wrong -- data areas of memory to execute code, can in turn opt-out of the anti-exploit protection.

"We can now allow the application to be protected, even if the developer is using an old version of ATL," said Howard. "DEP is a good defense, and we want to make it easier for developers to use it."

The new APIs will also let programmers give control over DEP to users, he added. "If you support DEP but want to allow customers to disable DEP if there are serious compatibility issues, then this is the API to use because the argument can be a configuration option," he wrote in a technical post to his own blog on Tuesday.

The timing of the new APIs' introduction isn't a mystery, Howard said when asked why they are being rolled out now. "We're adding them to the service packs because they have such a high uptake" by users, he explained.

"We were much more aggressive in which components were protected [by DEP] in Vista compared to XP," said Howard. "And over time we will get even more aggressive. This is part of that."

Microsoft has slated Vista SP1 for release this quarter, though speculation has mounted that it will appear within a matter of weeks. Windows XP SP3 is scheduled to ship some time in the first half of the year, while Windows Server 2008 has been tagged with a late February launch date.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?