Microsoft adds new security APIs to Vista, XP

Offers more flexibility to developers using 'no-execute' anti-exploit technologies

Microsoft has added new security-related APIs to upcoming service packs for Windows Vista and XP to expand the use of the anti-exploit technology dubbed Data Execution Prevention (DEP).

The new application programming interfaces (APIs) will be included with Vista Service Pack 1 (SP1), Windows XP SP3 and the brand-new Windows 2008 when those operating systems ship this quarter and next, said Michael Howard, a principal security program manager in Microsoft's security engineering and communications group.

According to Howard, one of Microsoft's resident security gurus and probably best known for co-authoring Writing Secure Code, the new APIs will allow more developers, particularly those still using older versions of ATL (Active Template Library), to call DEP in their apps.

DEP, which also goes by NX -- for No eXecute -- is a technology introduced by Microsoft in Windows XP SP2, and expanded in Vista and Server 2008. It's designed to stop some kinds of exploits -- buffer overflow attacks in the main -- by blocking code from executing in memory that's supposed to contain only data.

The new APIs can be used by developers working with the older ATL to enable DEP at runtime, or when the application actually launches. Previously, those programmers were forced to decide ahead of time whether their software would try to protect itself using DEP.

The most important of the new APIs is "SetProcessDEPPolicy," said Howard, which sets the DEP policy for the running process.

"When you link with the NX, it's cast in stone," explained Howard, referring to the use of ATL without the new APIs. "If you load a .dll that can't run correctly with DEP, it's not gonna work. With the new APIs, the cool thing is that you can have it in the configuration, so DEP is enabled by default -- so all the .dll [files] are protected." Those new APIs let the program opt in to DEP support when they're run, giving both developers and users more flexibility. Apps that rely on .dlls that won't work with DEP, perhaps because they're custom-created for the corporation and use -- right or wrong -- data areas of memory to execute code, can in turn opt-out of the anti-exploit protection.

"We can now allow the application to be protected, even if the developer is using an old version of ATL," said Howard. "DEP is a good defense, and we want to make it easier for developers to use it."

The new APIs will also let programmers give control over DEP to users, he added. "If you support DEP but want to allow customers to disable DEP if there are serious compatibility issues, then this is the API to use because the argument can be a configuration option," he wrote in a technical post to his own blog on Tuesday.

The timing of the new APIs' introduction isn't a mystery, Howard said when asked why they are being rolled out now. "We're adding them to the service packs because they have such a high uptake" by users, he explained.

"We were much more aggressive in which components were protected [by DEP] in Vista compared to XP," said Howard. "And over time we will get even more aggressive. This is part of that."

Microsoft has slated Vista SP1 for release this quarter, though speculation has mounted that it will appear within a matter of weeks. Windows XP SP3 is scheduled to ship some time in the first half of the year, while Windows Server 2008 has been tagged with a late February launch date.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?