Windows XP Service Pack 2 (Part 7): Protecting against buffer overflows (889741)



The information in this article applies to:

  • Microsoft Windows XP Service Pack 2, when used with:
    • Microsoft Windows XP Home Edition
    • Microsoft Windows XP Professional

Important This article contains information that shows you how to help lower security settings or how to turn off security features on a computer. You can make these changes to work around a specific problem. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this workaround in your particular environment. If you implement this workaround, take any appropriate additional steps to help protect your system.

SUMMARY

This article is Part 7 of the Windows XP Service Pack 2 - Step by Step guide. This article describes how to protect against buffer overflows in Microsoft Windows XP Service Pack 2 (SP2).

To view the other articles in the Windows XP Service Pack 2 - Step by Step guide, see the Microsoft Knowledge Base articles that are listed in the "References" section.

The Windows XP Service Pack 2 - Step by Step guide includes the following topics:
Part 1:  Better security with Service Pack 2

Part 2:  Installing Service Pack 2

Part 3:  The new Security Center

Part 4:  Automatic Updates

Part 5:  Virus protection

Part 6:  Windows Firewall

Part 7:  Protecting against buffer overflows

Part 8:  Improvements in Internet Explorer and Outlook Express

Part 9:  Uninstalling Service Pack 2

MORE INFORMATION

Part 7: Protecting against buffer overflows

Buffer overflows are one of the most notorious forms of attack from the Internet. They rely on the simple fact that programmers may make errors when reserving disk space for variables.

This means, for example, that a user may subsequently enter data that contains many more characters than originally designated. The surrounding memory that has nothing to do with the variable may also be affected. Most of the time, the program will stop responding. However, an attacker may also exploit this vulnerability to gain control over the computer.

Buffer overflow

How does a buffer overflow work?

To correctly understand how a buffer overflow works, you will require some technical knowledge.

A computer has random access memory (RAM) that is shared by all programs. To make memory management easier, Windows XP SP2 has a feature that controls which segments of RAM are currently being used. If a program is started, free memory is allocated to that program.

This memory is divided into three segments:
  • Code segment
    Program-specific executable commands are stored here.
  • Data segment
    Program-specific data is stored here.
  • Stack (part of the data segment)
    Everything relevant to program functions is stored here. This includes parameters, buffers for storing local variables and, most important, the return address. The return address specifies where the program will continue from after the function has been executed.

    Return address

    As information that is entered by a user is also registered as a variable, everything that a user types is sent to the stack. Generally, this behavior does not pose a problem. However, if the buffer limit is exceeded because of a programming error, the stack becomes easy to control. For example, if an attacker selects the appropriate entry for the attack, the whole segment that is designated for local variables may be overwritten with instructions. Additionally, the subsequent return address can be changed to point to malicious code. Therefore, the program no longer functions correctly, but blindly performs the attacker's commands.

    Variable X redirecting to harmful code

What does Data Execution Prevention do?

Data Execution Prevention (DEP) monitors programs to verify whether they are using system memory securely. To do this, DEP software, either alone or with compatible microprocessors, marks memory locations as "non-executable." If an program tries to run a code (malicious or not) from one of these protected locations, DEP closes the program and notifies you by sending a warning message.

After you install Windows XP SP2, DEP is only enabled for necessary operating system programs and services because not all software programs run smoothly with DEP. To enhance security, you can turn on DEP for all programs and then define exceptions for individual programs and services.

How to enable DEP for all programs

  1. Click Start, point to Control Panel, and then click System.

    System icon (Control Panel)

  2. Click the Advanced tab, and then click Settings under Performance.

    System Properties - Advanced tab

  3. Click the Data Execution Prevention tab, select Turn on DEP for all programs and services except those I select, and then click OK.

    Performance Options - DEP tab - Turn on DEP for all programs...

  4. You must restart the computer for this change to take effect. Confirm your selections by clicking OK two times, and then restart the computer.
Defining exceptions If certain programs cause problems, define them as exceptions. To do this, follow these steps:
  1. On the Data Execution Prevention tab, click Add.
  2. Search for and select the program file that you want to add as an exception, click Open, and then click OK.
  3. Click OK two times, and then restart the computer.

To disable Data Execution Prevention

Warning This workaround may make your computer or your network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk.

If the computer experiences problems with DEP, you can disable this function. To do this, you must modify the Boot.ini file as follows:
  1. You must first check your Folder Options. Click Start, click Control Panel, and then double-click Folder Options.

    Folder Options icon (Control Panel)

  2. Check that all folders and system files are displayed.

    Folder Options window - show hidden files...

  3. Start the computer in safe mode. To do this, press the F8 key after the Power On Self Test (POST) is finished.
  4. Use the arrow keys to select the Safe Mode option. Then, press ENTER.
  5. Select the operating system you want to start, and then press ENTER.
  6. Open My Computer, and then click drive C:\. Search for the Boot.ini file.
  7. As a precaution, make a backup copy of the Boot.ini file. To do this, right-click the file, click Copy, right-click an empty area, and then click Paste.
  8. Right-click the Boot.ini file, and then click Properties.

    C:\boot.ini - Properties in context menu

  9. Click to clear Read-only, and then click OK.

    Read-only checkbox deactivated

  10. Click Start, click Run, type notepad c:\boot.ini, and then click OK.

    Run - notepad c:\boot.ini

  11. Change NoExecute=xxxxx to NoExecute=AlwaysOff.

    Boot.ini editor - NoExecute=OptIn

    Boot.ini editor - NoExecute=AllwaysOff

  12. Save the Boot.ini file, revert to read-only, and then restart the computer.

REFERENCES

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

875352 A detailed description of the Data Execution Prevention (DEP) feature in Windows XP Service Pack 2, Windows XP Tablet PC Edition 2005, and Windows Server 2003

For more information about the other topics in the Windows XP Service Pack 2 - Step by Step guide, click the following article numbers to view the articles in the Microsoft Knowledge Base:

889735 Windows XP Service Pack 2 (Part 1)

889736 Installing Service Pack 2 (Part 2)

889737 The new Security Center (Part 3)

889738 Automatic Updates (Part 4)

889739 Virus protection (Part 5)

889740 Windows Firewall (Part 7)

889742 Improvements in Internet Explorer and Outlook Express (Part 8)

889743 Uninstalling Service Pack 2 (Part 9)

This article is a translation from German. Any subsequent changes or additions to the original German article may not be reflected in this translation. The information that is contained in this article is based on the German-language versions of this product. The accuracy of this information relative to other language versions of this product is not tested within the framework of this translation. Microsoft makes this information available without warranty of its accuracy or functionality and without warranty of the completeness or accuracy of the translation.

Modification Type:MinorLast Reviewed:10/5/2006
Keywords:kbhowto KB889741