Microsoft has added new security-related APIs to upcoming service packs for Windows Vista and XP to expand the use of the anti-exploit technology dubbed Data Execution Prevention (DEP).
The new application programming interfaces (APIs) will be included with Vista Service Pack 1 (SP1), Windows XP SP3 and the brand-new Windows 2008 when those operating systems ship this quarter and next, said Michael Howard, a principal security program manager in Microsoft's security engineering and communications group.
According to Howard, one of Microsoft's resident security gurus and probably best known for co-authoring Writing Secure Code, the new APIs will allow more developers, particularly those still using older versions of ATL (Active Template Library), to call DEP in their apps.
DEP, which also goes by NX -- for No eXecute -- is a technology introduced by Microsoft in Windows XP SP2, and expanded in Vista and Server 2008. It's designed to stop some kinds of exploits -- buffer overflow attacks in the main -- by blocking code from executing in memory that's supposed to contain only data.
The new APIs can be used by developers working with the older ATL to enable DEP at runtime, or when the application actually launches. Previously, those programmers were forced to decide ahead of time whether their software would try to protect itself using DEP.
The most important of the new APIs is "SetProcessDEPPolicy," said Howard, which sets the DEP policy for the running process.
"When you link with the NX, it's cast in stone," explained Howard, referring to the use of ATL without the new APIs. "If you load a .dll that can't run correctly with DEP, it's not gonna work. With the new APIs, the cool thing is that you can have it in the configuration, so DEP is enabled by default -- so all the .dll [files] are protected." Those new APIs let the program opt in to DEP support when they're run, giving both developers and users more flexibility. Apps that rely on .dlls that won't work with DEP, perhaps because they're custom-created for the corporation and use -- right or wrong -- data areas of memory to execute code, can in turn opt-out of the anti-exploit protection.
"We can now allow the application to be protected, even if the developer is using an old version of ATL," said Howard. "DEP is a good defense, and we want to make it easier for developers to use it."
The new APIs will also let programmers give control over DEP to users, he added. "If you support DEP but want to allow customers to disable DEP if there are serious compatibility issues, then this is the API to use because the argument can be a configuration option," he wrote in a technical post to his own blog on Tuesday.
The timing of the new APIs' introduction isn't a mystery, Howard said when asked why they are being rolled out now. "We're adding them to the service packs because they have such a high uptake" by users, he explained.
"We were much more aggressive in which components were protected [by DEP] in Vista compared to XP," said Howard. "And over time we will get even more aggressive. This is part of that."
Microsoft has slated Vista SP1 for release this quarter, though speculation has mounted that it will appear within a matter of weeks. Windows XP SP3 is scheduled to ship some time in the first half of the year, while Windows Server 2008 has been tagged with a late February launch date.