Article ID: 889741 - Last Review: February 6, 2007 - Revision: 1.5

Windows XP Service Pack 2 (Part 7): Protecting against buffer overflows

View products that this article applies to.
System TipThis article applies to a different operating system than the one you are using. Article content that may not be relevant to you is disabled.
Important This article contains information that shows you how to help lower security settings or how to turn off security features on a computer. You can make these changes to work around a specific problem. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this workaround in your particular environment. If you implement this workaround, take any appropriate additional steps to help protect your system.

On This Page

Expand all | Collapse all

SUMMARY

This article is Part 7 of the Windows XP Service Pack 2 - Step by Step guide. This article describes how to protect against buffer overflows in Microsoft Windows XP Service Pack 2 (SP2).

To view the other articles in the Windows XP Service Pack 2 - Step by Step guide, see the Microsoft Knowledge Base articles that are listed in the "References" section.

The Windows XP Service Pack 2 - Step by Step guide includes the following topics: 
Part 1:  Better security with Service Pack 2

Part 2:  Installing Service Pack 2

Part 3:  The new Security Center

Part 4:  Automatic Updates

Part 5:  Virus protection

Part 6:  Windows Firewall

Part 7:  Protecting against buffer overflows

Part 8:  Improvements in Internet Explorer and Outlook Express

Part 9:  Uninstalling Service Pack 2
Back to the top

MORE INFORMATION

Part 7: Protecting against buffer overflows

Buffer overflows are one of the most notorious forms of attack from the Internet. They rely on the simple fact that programmers may make errors when reserving disk space for variables.

This means, for example, that a user may subsequently enter data that contains many more characters than originally designated. The surrounding memory that has nothing to do with the variable may also be affected. Most of the time, the program will stop responding. However, an attacker may also exploit this vulnerability to gain control over the computer.
Collapse this imageExpand this image
Buffer overflow

How does a buffer overflow work?

To correctly understand how a buffer overflow works, you will require some technical knowledge.

A computer has random access memory (RAM) that is shared by all programs. To make memory management easier, Windows XP SP2 has a feature that controls which segments of RAM are currently being used. If a program is started, free memory is allocated to that program.

This memory is divided into three segments:
  • Code segment
    Program-specific executable commands are stored here.
  • Data segment
    Program-specific data is stored here.
  • Stack (part of the data segment)
    Everything relevant to program functions is stored here. This includes parameters, buffers for storing local variables and, most important, the return address. The return address specifies where the program will continue from after the function has been executed.
    Collapse this imageExpand this image
    Return address
    As information that is entered by a user is also registered as a variable, everything that a user types is sent to the stack. Generally, this behavior does not pose a problem. However, if the buffer limit is exceeded because of a programming error, the stack becomes easy to control. For example, if an attacker selects the appropriate entry for the attack, the whole segment that is designated for local variables may be overwritten with instructions. Additionally, the subsequent return address can be changed to point to malicious code. Therefore, the program no longer functions correctly, but blindly performs the attacker's commands.
    Collapse this imageExpand this image
    Variable X redirecting to harmful code

What does Data Execution Prevention do?

Data Execution Prevention (DEP) monitors programs to verify whether they are using system memory securely. To do this, DEP software, either alone or with compatible microprocessors, marks memory locations as "non-executable." If an program tries to run a code (malicious or not) from one of these protected locations, DEP closes the program and notifies you by sending a warning message.

After you install Windows XP SP2, DEP is only enabled for necessary operating system programs and services because not all software programs run smoothly with DEP. To enhance security, you can turn on DEP for all programs and then define exceptions for individual programs and services.

How to enable DEP for all programs

  1. Click Start, point to Control Panel, and then click System.
    Collapse this imageExpand this image
    System icon (Control Panel)
  2. Click the Advanced tab, and then click Settings under Performance.
    Collapse this imageExpand this image
    System Properties - Advanced tab
  3. Click the Data Execution Prevention tab, select Turn on DEP for all programs and services except those I select, and then click OK.
    Collapse this imageExpand this image
    Performance Options - DEP tab - Turn on DEP for all programs...
  4. You must restart the computer for this change to take effect. Confirm your selections by clicking OK two times, and then restart the computer.
Defining exceptions
If certain programs cause problems, define them as exceptions. To do this, follow these steps:
  1. On the Data Execution Prevention tab, click Add.
  2. Search for and select the program file that you want to add as an exception, click Open, and then click OK.
  3. Click OK two times, and then restart the computer.

To disable Data Execution Prevention

Warning This workaround may make your computer or your network more vulnerable to attack by malicious users or by malicious software such as viruses. We do not recommend this workaround but are providing this information so that you can implement this workaround at your own discretion. Use this workaround at your own risk.

If the computer experiences problems with DEP, you can disable this function. To do this, you must modify the Boot.ini file as follows:
  1. You must first check your Folder Options. Click Start, click Control Panel, and then double-click Folder Options.
    Collapse this imageExpand this image
    Folder Options icon (Control Panel)
  2. Check that all folders and system files are displayed.
    Collapse this imageExpand this image
    Folder Options window - show hidden files...
  3. Start the computer in safe mode. To do this, press the F8 key after the Power On Self Test (POST) is finished.
  4. Use the arrow keys to select the Safe Mode option. Then, press ENTER.
  5. Select the operating system you want to start, and then press ENTER.
  6. Open My Computer, and then click drive C:\. Search for the Boot.ini file.
  7. As a precaution, make a backup copy of the Boot.ini file. To do this, right-click the file, click Copy, right-click an empty area, and then click Paste.
  8. Right-click the Boot.ini file, and then click Properties.
    Collapse this imageExpand this image
    C:\boot.ini - Properties in context menu
  9. Click to clear Read-only, and then click OK.
    Collapse this imageExpand this image
    Read-only checkbox deactivated
  10. Click Start, click Run, type notepad c:\boot.ini, and then click OK.
    Collapse this imageExpand this image
    Run - notepad c:\boot.ini
  11. Change NoExecute=xxxxx to NoExecute=AlwaysOff.
    Collapse this imageExpand this image
    Boot.ini editor - NoExecute=OptIn
    Collapse this imageExpand this image
    Boot.ini editor - NoExecute=AllwaysOff
  12. Save the Boot.ini file, revert to read-only, and then restart the computer.
Back to the top

REFERENCES

For more information, click the following article number to view the article in the Microsoft Knowledge Base:
875352  (http://support.microsoft.com/kb/875352/ ) A detailed description of the Data Execution Prevention (DEP) feature in Windows XP Service Pack 2, Windows XP Tablet PC Edition 2005, and Windows Server 2003
For more information about the other topics in the Windows XP Service Pack 2 - Step by Step guide, click the following article numbers to view the articles in the Microsoft Knowledge Base:
889735  (http://support.microsoft.com/kb/889735/EN-US/ ) Windows XP Service Pack 2 (Part 1)

889736  (http://support.microsoft.com/kb/889736/EN-US/ ) Installing Service Pack 2 (Part 2)

889737  (http://support.microsoft.com/kb/889737/EN-US/ ) The new Security Center (Part 3)

889738  (http://support.microsoft.com/kb/889738/EN-US/ ) Automatic Updates (Part 4)

889739  (http://support.microsoft.com/kb/889739/EN-US/ ) Virus protection (Part 5)

889740  (http://support.microsoft.com/kb/889741/EN-US/ ) Windows Firewall (Part 7)

889742  (http://support.microsoft.com/kb/889742/EN-US/ ) Improvements in Internet Explorer and Outlook Express (Part 8)

889743  (http://support.microsoft.com/kb/889743/EN-US/ ) Uninstalling Service Pack 2 (Part 9)
This article is a translation from German. Any subsequent changes or additions to the original German article may not be reflected in this translation. The information that is contained in this article is based on the German-language versions of this product. The accuracy of this information relative to other language versions of this product is not tested within the framework of this translation. Microsoft makes this information available without warranty of its accuracy or functionality and without warranty of the completeness or accuracy of the translation.
Back to the top
APPLIES TO
  • Microsoft Windows XP Service Pack 2, when used with:
    • Microsoft Windows XP Home Edition
    • Microsoft Windows XP Professional
Back to the top
Keywords: 
kbhowto KB889741
Back to the top