How DEP can protect your PC

How DEP can protect your PC

By Scott Dunn Newer processors, such as those from Intel and AMD, support a useful feature that Microsoft calls hardware Data Execution Prevention (DEP). Unfortunately, it’s not enabled for all the software you may be running. Here’s how to remedy that situation.

How does Data Execution Prevention work?

Data Execution Prevention aims to protect your computer by making it harder for hackers to silently execute their programs in your PC.

As Windows runs, its Virtual Memory Manager maps addresses in RAM to locations on the hard disk (in the pagefile or swapfile). At the same time, hardware DEP inserts a special bit into the disk version of an address, marking it as non-executable.

If a hacker program attempts to write code to such a location and then execute it, a DEP-enabled processor detects the exploit and registers an error. If so, Windows can shut down the problem application or, if the hacked code is in an area used by Windows, halt a portion of the operating system itself.

Windows XP Service Pack 2 (SP2) has a software-only version of DEP, which is not as effective as the hardware version. Fortunately, Vista provides support for both software DEP and hardware DEP. In either case, you’ll want to turn on those DEP settings that you can benefit from. Vista users should read on, while XP users can skip down to the section entitled “Turning on DEP.”

Does my system support DEP?

Follow the steps below to find out if the processor in your Vista computer supports hardware DEP:

Step 1. In Vista’s Windows Explorer application, launch the System Properties dialog box by right-clicking Computer in Explorer’s folder list.

Step 2. Choose Properties, or launch the System icon in Control Panel’s System and Maintenance category.

Step 3. Click Advanced System Settings in the task bar on the left.

Step 4. Click Continue, if prompted by User Account Control.

Step 5. Under Performance, click Settings.

Step 6. In the Performance Options dialog box, click the Data Execution Prevention tab. If your processor supports this feature, a sentence to that effect appears in the lower part of the dialog box.

Here’s a fast way to get to the same dialog box using only the keyboard, with minimal mouse clicking:

Step 1. In Vista, press Win+R to open the Run dialog box.

Step 2. Type SystemPropertiesDataExecutionPrevention and press Enter.

Step 3. Click Continue, if prompted by User Account Control.

Are all of my applications using DEP?

As the Performance Options dialog box suggests, DEP is turned on by default for most Windows services and programs — but not all. Vista users can see which applications aren’t covered by taking these steps:

Step 1. Right-click an empty area of the taskbar and choose Task Manager (or press Ctrl+Shift+Esc).

Step 2. Click the Processes tab and choose View, Select Columns.

Step 3. Scroll to the bottom of the Select Process Page Columns dialog box and check Data Execution Prevention.

Step 4. Click OK.

The new column shows you which processes have DEP enabled (most of them) and which do not — notably Explorer (explorer.exe) and Internet Explorer (iexplore.exe). If you happen to have Windows Media Player (wmplayer.exe) or Outlook 2007 (outlook.exe) running, you’ll notice DEP is disabled for these applications as well. You may also see some IE plug-ins listed here, like Java (jusched.exe) or the Google toolbar (GoogleToolbarNotifier.exe).

Figure 1. Windows Task Manager can show you which applications are using DEP.

If DEP is so useful, why is it disabled for important applications like Outlook 2007 and IE 7? The answer is that many developers disable DEP to maintain backward compatibility with other products, such as add-ons or plug-ins. For example, although plug-ins such as Adobe’s Acrobat Reader and Flash Player now work with DEP enabled for IE, as of this writing, the Google toolbar and Sun Microsystem’s Java plug-in do not.

How to turn on DEP

Both Vista and XP let you turn on DEP globally, while allowing you to make exceptions for applications that have problems. To do that, you need to return to the Performance Options dialog:

In Vista, click Start, type SystemPropertiesDataExecutionPrevention, and press Enter. Click Continue in the User Account Control dialog box.

In XP, click Start, Run, then type sysdm.cpl and press Enter. Click the Advanced tab. In the Performance box, click Settings. Click the Data Execution Prevention tab.

In both XP and Vista, select Turn on DEP for all programs and services except those I select.

In Vista only, take time now to specify a few of the programs you saw listed in Task Manager earlier to keep DEP disabled for them. To do that, click Add and browse for the .exe file of a program you know normally does not use DEP (for example, explorer.exe, wmplayer.exe, outlook.exe). Select the filename and click Open. Click OK to acknowledge the risk of turning off DEP for that application. Repeat for each application that normally doesn’t use DEP.

The strategy here is to enable DEP for these applications one at a time over an extended period to see if they can live with this feature. Start by unchecking one of the boxes for an app you added to the exception list. Click OK (and OK again to acknowledge the restart prompt) and restart your system. If the unchecked application runs well for a few days, return to the Performance Options dialog box, and uncheck another app. Repeat until everything is running with DEP — or until you find one or more apps that need DEP disabled to run properly.

Figure 2. Use the Performance Options dialog to add exceptions to your DEP settings.

XP users have no way to spot applications that don’t use DEP by default, but they can start with Outlook 2007 and Windows Media Player 11. If Windows closes an application with a Data Execution Prevention error message (or any serious error on a regular basis), you can add that application to the exclusion list, as explained above. If you’re lucky, the error message will contain a Change Settings button to get you to the dialog box more quickly.

Note that the Data Execution Prevention tab of the Performance Options dialog box only lets you adjust DEP settings for 32-bit applications. If you have the 64-bit version of Vista installed (which can run both 32- and 64-bit apps), you’re covered: Windows applies DEP to all 64-bit services and programs. In fact, if you try to add a 64-bit application to the exclusion list, Vista displays an error telling you it can’t be done.

Working around the IE exception

Contrary to what you might expect, one type of program in particular ignores the settings in the Data Execution Prevention tab — namely, browsers such as Internet Explorer 7. The only way to enable DEP for IE 7 is in the Internet Options control panel in Vista. XP users apparently have no way to activate DEP for IE 7.

To get a DEP-enabled IE browser in Vista, begin by disabling most or all of your IE add-ons. From the IE command bar, choose Tools, Manage Add-ons, Enable or Disable Add-ons. In the Manage Add-ons dialog box, select a helper application in the list and click the Disable button below. Repeat for all items in the list, except those you know to be safe (such as Adobe Acrobat and Flash). Click OK.

Now let’s turn on DEP for Internet Explorer:

Step 1. Click Start, type inetcpl.cpl, and press Ctrl+Shift+Enter to open the dialog with administrative privileges. (If you don’t run this dialog as an administrator, the option in question will be greyed out.)

Step 2. Click Continue in the User Account Control prompt.

Step 3. Click the Advanced tab and scroll to the bottom of the Settings list.

Step 4. Check Enable memory protection to mitigate online attacks.

Step 5. Click OK.

Now, restart Internet Explorer (if it was running). If everything seems to go smoothly, return to the Manage Add-ons dialog box. Enable one of the plug-ins, click OK, and restart IE again.

As with the applications you specified earlier, you’ll want to use IE for a while to make sure everything works as desired. If IE won’t start or you see errors with some Web sites, you may need to disable the problem plug-in. If you can’t live without a DEP-intolerant plug-in, you may have to turn off DEP for IE altogether.

Other apps that are DEP exceptions

IE 7 is not the only program that ignores Windows global DEP settings. Even with DEP turned on globally, Task Manager shows that neither Mozilla Firefox nor Opera support DEP.

If DEP is important to your sense of Internet security, IE 7 is the only major browser that supports it — until the other applications provide support for this feature.

Managing installer and application problems

Although the DEP is supposed to display a message indicating when it has shut down an errant program, some sources claim that the messages don’t always appear, and that DEP can sometimes even prevent programs (especially installers) from launching. These sources go so far as to recommend turning off DEP entirely.

Such advice is like throwing out the proverbial baby with the bathwater. If you do have problems with applications that end abnormally or won’t run, you can always return to the Performance Options dialog to turn off DEP temporarily as a test. This can help you get your software installed, for example, if an installer won’t run.

Overall, you’re much better off making exceptions for a few problem programs (and reporting the difficulty to the manufacturer) than shutting down DEP entirely.

Finally, you should look at DEP as only one weapon in your security arsenal. DEP adds an important layer of protection, but it isn’t a reason to give up your other security tools.

Scott Dunn is associate editor of the Windows Secrets Newsletter. He is also a contributing editor of PC World Magazine, where he has written a monthly column since 1992, and co-author of 101 Windows Tips & Tricks (Peachpit) with Jesse Berst and Charles Bermant.

Readers contribute to the discount debate

By Scott Dunn

Following last week’s story on OEM software, readers raised legitimate concerns about OEM discounts and some crippled academic software.

Other readers offered even more ways and places to get software with a whopping educational discount.

OEM discounts: too good to be true?

A handful of readers expressed concern about the information in my article on OEM discounts. Windows Secrets contributing editor Susan Bradley sent her own take on this line of thought:

• “Over the last couple of newsletters, several ways to cheaply upgrade to Vista have been discussed. However, the best and cheapest way to ‘upgrade’ or ‘buy’ Vista is still the way my sister bought her Vista operating system. She bought it preinstalled on a computer, with the proper drivers already included.

  “OEM licenses aren’t legal for the average computer user to purchase and use to install on existing computers. Most of us can’t legally buy or install this software on our computer systems because we aren’t system builders. OEM software by definition is ‘original equipment manufacturer’ software and is licensed to system builders to install and bundle on, typically, new systems.

  “You can read the EULA for the OEM software that I copied on my Web site. When you purchase OEM software, you are stating that you are a ‘system builder’ of computer devices, that is, you are a manufacturer of computer equipment. You also certify that you will provide all support for that system. And, you need to affix a Certificate of Authority to the system.

  “The bottom line is that unless your name is Michael Dell, chances are most of us aren’t system builders. Therefore, it’s not legal for us to buy OEM software and use that license to install it on our systems.”

The purpose of my story was to report on the savings advertised by a number of online retailers (including reputable dealers like Amazon.com) via OEM or System Builder software. As Susan points out, however, some retailers may be violating Microsoft’s OEM license when they fail to sell the product with a fully assembled computer system. Microsoft changed its OEM license in September 2005 to add this requirement, as described in a Microsoft blog post.

In addition, OEM versions of Microsoft software can only be sold by “authorized dealers”, found on a Microsoft list (this link requires IE), to “system builders,” who are required to register with the Microsoft Partner Program. This language leaves little room for a home user to take advantage of these discounts while still complying with the license agreement.

Let me be clear that I do not encourage anyone to break the law or behave unethically by violating software license agreements. My story reported the fact that a large number of online stores do sell OEM versions of software. These sales attract customers, some of whom may not understand the legal details or choose to ignore them.

Some academic software is different than retail

OEM discounts aren’t the only complicated subject in the software marketplace. A reader named David points out that not all academic software is created equal:

• “Student versions of software vary widely in their restrictions. Macromedia, for example, used to limit the size of projects in Director and put a ‘bug’ [logo] on the output to indicate it was produced by a student version so it couldn’t be used for commercial projects.

  “Adobe, on the other hand, has been easier. I got my first copy of Photoshop as a ‘student OEM’ version with no handicaps and have not had any upgrade issues since. It was 25% of the cost of retail.

  “Other products may block professional output formats or limit the number of projects produced. So, do your research to see what your best value really is. Typically, upgrades are the same cost for everyone, so if offering a discounted version gets you started with them, vendors are happy to support it.”

Because Adobe acquired Macromedia in 2005, I wouldn’t expect to see these kinds of restrictions in Director anymore. But David’s point is still an excellent one: do your research on a particular discounted product before you buy it.

An educational way to get software gratis

Other readers wrote in with more ways and places to get software discounts. Karl Poehleman clues us in to another educational discount option:

• “Your discounted software finds are all very nice, but you left out an alternative — free! As in free Microsoft software from Microsoft Academic Alliance. All one needs to do is take a computer-related class at a local community college (or other qualified educational outlet), and then voilà — free software!

  “Sure, you can buy it discounted there as well, but I picked up copies of Vista Business, XP Pro, Access 2007, Visio Pro, and more for nada, zip, zero. The software itself needs to be downloaded, or in some cases checked out for copy (so you need to have a burner, or in the case of Vista, a DVD burner). This is a great option that deserves mention.”

The program Karl identifies is formally known as the MSDN (Microsoft Developer Network) Academic Alliance. It makes software available to qualifying institutions and their faculty and students for instructional purposes or noncommercial research. The program’s EULA specifically rules out commercial use. The license has some other quirks, such as requiring that operating systems obtained under this program be installed only on computers that do not have an OS at the time of installation.

Because of the emphasis on software development, the program does not include products such as Microsoft Office, but it does include some Microsoft operating systems, as Karl mentions. Some schools may not include the software with the enrollment fee, so check with your local educational institution about policies and pricing.

Find academic discounts in Australia, too

To help academic readers in Australia, reader Sam McCleary chimes in with some sites that offer educational discounts in the land down under:

• “After reading your article on academic pricing, I thought I’d add my two-cents worth and tell you where to get discounted educational software in Australia. SI Group sells discounted Microsoft and Adobe software to students of an accredited academic institution.”

Thanks for the tip, Sam!

How many USB devices do you need?

Some days it seems like there’s an invention for everything. A case in point: The Mouse Jiggler, a USB device that keeps your pointer in motion so your screen saver never kicks in when you wander away from your computer. The device is being marketed to computer forensics experts and IT professionals who don’t want a laptop to lock them out with a password-protected screen saver. There must be a lot of people out there who don’t know how to disable password protection on their screen savers! Maybe you need yet another USB gizmo, but wouldn’t it be a whole lot easier to just use the Display control panel? More info

Word 2000/XP flaw makes docs dangerous

By Chris Mosby Although some missing patches are more important than others, and some have lain undiscovered for years, none of them should be ignored. This week, flaws in MS Word and Internet Explorer could cause you trouble. Here’s how to avoid system upset.

Word flaw allows infected code execution

McAfee Avert Labs discovered in February a zero-day exploit in Microsoft Word 2000 that the company said had been used in a "very limited and targeted attack." This flaw was first believed to only cause a Denial of Service (DoS), but was later found to allow the execution of infected code as well.

Microsoft recently acknowledged this flaw in a security advisory and revealed that Word XP is also affected. The vulnerability is caused by a previously undisclosed error in the way Word parses documents. A user must open a hacked document for this flaw to be exploited, but if that occurs, infected code will be run with the same rights as the logged-on user.

What to do: Microsoft suggests that you not open or save Office files you receive from untrusted sources, or even those that that you receive unexpectedly from trusted sources. Though this is good advice to follow with any type of e-mail attachment, the vulnerability does not affect Office 2003 or Office 2007. Thus, it would make more sense to just upgrade Office to the latest version.

More information: CVE-2007-0870, US-CERT, ISS, SecurityTracker, SecurityFocus, FrSIRT, Secunia

IE ‘onunload’ flaw can trap users

A flaw in Internet Explorer (IE) 6 and 7 could allow a hacker to construct an infected Web page that would affect you. You could actually be trapped on the infected page, although it would appear that you had successfully navigated to another Web site.

This flaw is caused by an error in the way IE handles JavaScript onunload events. This could allow a hacker to stop a user from loading a different Web page in the browser. (The infected page can also display a trusted Web site, if a user types the address into the address bar manually.) The spoofed Web page can be used to phish for sensitive information, like banking passwords, that are stored on the user’s system. This flaw has been confirmed on a fully patched Windows XP Service Pack 2 system running either IE 6 or 7.

What to do: I suggest using Firefox until this flaw has been patched. Firefox was once vulnerable to a similar flaw, but it was fixed with version 2.0.0.2. If you can’t switch, then closing all of your IE windows after visiting one Web site and before visiting any other Web site is your only other option.

More information: CVE-2007-1091, FrSIRT, Secunia, ISS, SecurityFocus

The Over the Horizon column informs you about threats for which no patch has yet been released by a vendor. Chris Mosby recently received an MVP (Most Valuable Professional) award from Microsoft for his knowledge of Systems Management Server. He runs the SMS Admin Store and is a contributor to Configuring Symantec Antivirus Corporate Edition.

Fix for 'Svchost' is headed our way

By Susan Bradley Issues with Microsoft Update have been slowing down computers for the last several months. There are some things you can do now to help solve the problem, and a complete fix will be out soon.

‘Svchost’ repair is coming soon

For those who have been suffering from near-crippling speed issues, in which your computer comes to a near standstill when booting up or scanning for updates, help is on the way. Bobbie Harder announced the good news on the WSUS blog. An issue with the svchost.exe process, which runs Windows Update and Microsoft Update and can consume 100% of your computer’s CPU processing power, will be resolved over the next few months.

The problem affects Windows Server 2003 and Windows XP Pro (when XP is used with Office XP. To cope with the situation in the short term, first read Knowledge Base article 927891. This documents links to hotfixes for Server 2003 and XP and discusses a related problem with KB 927891.

For system admins, a new Windows Update Agent (WUA) will need to be installed on each workstation. The instructions for obtaining the new client are available on an MSDN page. I’ll be discussing this in more detail in my next column, to be published on May 10.

Thunderbird gets an update and a new look

For those of you who, like me, use Mozilla Thunderbird as an e-mail client, there’s a new version — version 2.0.

You can download the new version, which now includes support for Vista and 64-bit Windows (as per the bug fix information), from the Mozilla Web site. The biggest change is the new look, which I’m still getting used to.

Updating Apple for security issues

Apple announced on its site a bundle of updates that correct several security issues in the Macintosh platform. The worst of the issues are those in which attackers can gain access remotely, typically by using a malicious Web site to infect visiting computers.

As columnist Ryan Russell wrote in last week’s newsletter, this attack method was used by a security researcher to hack into a MacBook at a recent security contest. In the case of the Apple-hacking contest, a vulnerability in the Java handling of QuickTime provided the means of entrance. This once again showcases the risk of Java vulnerabilities to both Macintosh and Windows platforms.

What, exactly, does ‘untrusted’ mean?

Lately, just about every vulnerability report warns against opening any files from “untrusted” sources. But how should we define “untrusted” these days?

In one recent exploit, an Adobe Photoshop vulnerability could be triggered by malicious bitmap files, which could be posted online by almost anyone. In another incident, a site hosted by a partner of Microsoft was defaced (as blogged about by Sandi Hardmeier). It’s getting harder to know what sites to trust. Google recently acknolwdged that targeted ads on its search engine pages have sent folks to malicious Web sites.

These instances make it apparent that we need to be constantly on alert about the Web. Any site we visit could send us to another Web site that we didn’t realize we were going to when we clicked on the original link. Thus, to be safe, I’m beginning to think that we should treat every link, e-mail, or Web site that we click on, open, or visit as potentially threatening. That means you must ensure you keep your antivirus software up to date at all times and, if you can, run your computer without administrative rights.

Some experts argue that, when working on sensitive financial data, you should use a computer system that is allowed to visit only a few, limited Web sites, such as your bank site. For now, I’d say don’t consider any site or source to be 100% trusted. Always be on your guard, always examine links before clicking, and never click anything that sounds too good to be true.

How not to install Windows 2003 Service Pack 2

Some of you may have found out that if you install Windows Server 2003, you’re now automatically offered Service Pack 2 (SP2). At first, we all thought that we were being forced to install SP2. But it turns out that there’s a way to postpone the install and get just the pre-SP2 patches you need. Rodney Fournier details the process of how to “say no to SP2” on his blog.

In the Small Business Server community, many are holding back on deploying this latest service pack. Remember, however, that if you have Automatic Updates enabled on your servers, SP2 is slated to be deployed automatically in June.

By that time, I highly recommend that you do one of the following: (1) make sure you’re ready for the service pack; (2) change the Automatic Updates setting to download the service pack but not install it; or (3) turn off Automatic Updates on your servers and only apply patches to the our servers when you feel ready to do so.

Final version of WSUS 3.0 is released

On Apr. 30, the WSUS (Windows Server Update Services) team released the final version of WSUS 3.0 on the Web. The new WSUS has many added features, including incorporation of e-mail notifications, to mention just one item.

For those running SBS 2003 R2, the important thing to remember — as you install WSUS 3.0 the existing WSUS 2.0 — is to not run the setup customization wizard that the WSUS 3.0 program launches at the end of the install process.

For everyone else, just follow along with the wizard to set up the programs and settings you want to customize.

The Patch Watch column reveals problems with patches for Windows and major Windows applications. Susan Bradley recently received a MVP (Most Valuable Professional) award from Microsoft for her knowledge in the areas of Small Business Server and network security. She’s also a partner in a California CPA firm.