Microsoft adds new security APIs to Vista, XP

Offers more flexibility to developers using 'no-execute' anti-exploit technologies

Microsoft has added new security-related APIs to upcoming service packs for Windows Vista and XP to expand the use of the anti-exploit technology dubbed Data Execution Prevention (DEP).

The new application programming interfaces (APIs) will be included with Vista Service Pack 1 (SP1), Windows XP SP3 and the brand-new Windows 2008 when those operating systems ship this quarter and next, said Michael Howard, a principal security program manager in Microsoft's security engineering and communications group.

According to Howard, one of Microsoft's resident security gurus and probably best known for co-authoring Writing Secure Code, the new APIs will allow more developers, particularly those still using older versions of ATL (Active Template Library), to call DEP in their apps.

DEP, which also goes by NX -- for No eXecute -- is a technology introduced by Microsoft in Windows XP SP2, and expanded in Vista and Server 2008. It's designed to stop some kinds of exploits -- buffer overflow attacks in the main -- by blocking code from executing in memory that's supposed to contain only data.

The new APIs can be used by developers working with the older ATL to enable DEP at runtime, or when the application actually launches. Previously, those programmers were forced to decide ahead of time whether their software would try to protect itself using DEP.

The most important of the new APIs is "SetProcessDEPPolicy," said Howard, which sets the DEP policy for the running process.

"When you link with the NX, it's cast in stone," explained Howard, referring to the use of ATL without the new APIs. "If you load a .dll that can't run correctly with DEP, it's not gonna work. With the new APIs, the cool thing is that you can have it in the configuration, so DEP is enabled by default -- so all the .dll [files] are protected." Those new APIs let the program opt in to DEP support when they're run, giving both developers and users more flexibility. Apps that rely on .dlls that won't work with DEP, perhaps because they're custom-created for the corporation and use -- right or wrong -- data areas of memory to execute code, can in turn opt-out of the anti-exploit protection.

"We can now allow the application to be protected, even if the developer is using an old version of ATL," said Howard. "DEP is a good defense, and we want to make it easier for developers to use it."

The new APIs will also let programmers give control over DEP to users, he added. "If you support DEP but want to allow customers to disable DEP if there are serious compatibility issues, then this is the API to use because the argument can be a configuration option," he wrote in a technical post to his own blog on Tuesday.

The timing of the new APIs' introduction isn't a mystery, Howard said when asked why they are being rolled out now. "We're adding them to the service packs because they have such a high uptake" by users, he explained.

"We were much more aggressive in which components were protected [by DEP] in Vista compared to XP," said Howard. "And over time we will get even more aggressive. This is part of that."

Microsoft has slated Vista SP1 for release this quarter, though speculation has mounted that it will appear within a matter of weeks. Windows XP SP3 is scheduled to ship some time in the first half of the year, while Windows Server 2008 has been tagged with a late February launch date.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Show Comments


James Cook University - Master of Data Science Online Course

Learn more >




Back To Business Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?