none
Data Execution Prevent and vulnerabilities like MS12-020

    Question

  • Hi guys,

    With the current buzz around MS vulnerability MS12-020 (RDP remote execution vulnerability), I wonder if systems which have full Data Execution Prevention (DEP) enabled, i.e. which are using "Turn on DEP for all programs and services except...", are also vulnerable to this (and similar) issues? Judging from the information on TechNet, it seems like a "execution code in data memory" error, which is precisely what DEP is trying to prevent.

    Can anybody comment on this? If DEP enabled machines are still vulnerable, then what is the point of enabling DEP if you cannot protect against issues like these?

    BR,

    Tim


    • Edited by crisp_tim Wednesday, March 14, 2012 9:40 AM
    Wednesday, March 14, 2012 9:39 AM

Answers

  • Hello Tim,

    In my opinion, if the DEP can prevent that from the update, there shuold have specific documentation for explanation. Based on my research, there is no document for that. So the DEP should not conflict with the update. The best practice is to apply the update but not only depend on DEP for protection.

    Thanks,

    Spencer Shi


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    • Marked as answer by crisp_tim Thursday, March 29, 2012 9:19 AM
    Monday, March 26, 2012 10:04 AM

All replies

  •  

    Hi,

    I am trying to involve someone familiar with this topic to further look at this issue.

    Regards,

    Leo   Huang

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Leo Huang

    TechNet Community Support

    Friday, March 16, 2012 1:30 AM
    Moderator
  • Any word back on this yet?  Thank you for checking...
    Friday, March 16, 2012 2:41 PM
  • Hi Leo Huang,

    Thanks for the involvement & your time and that of your colleagues. I'm very interested to hear in the context of constructing security strategies for our customers why enabling DEP is or isn't a possible workaround for this or similar issues. I don't fully understand why a system could still be vulnerable to specially crafted data packets (with executable code embeded) with DEP enabled -- the specific example of MS12-020 is just an example, what interests me most is whether additional security measures should be implemented to prevent against this class of attacks (in order to more adequately find the balance on a strategic level between security measures, their costs, and what is really necessary to mitigate certain risks).

    Thanks for your feedback on this. Best regards,

    Tim


    • Edited by crisp_tim Friday, March 16, 2012 3:12 PM
    Friday, March 16, 2012 3:08 PM
  • Hello,

    I found two blogs which discussing about DEP in detalis. Hope these can help understand DEP more clearly.

     

    Understanding DEP as a mitigation technology part 1: http://blogs.technet.com/b/srd/archive/2009/06/12/understanding-dep-as-a-mitigation-technology-part-1.aspx

    Understanding DEP as a mitigation technology part 2: http://blogs.technet.com/b/srd/archive/2009/06/12/understanding-dep-as-a-mitigation-technology-part-2.aspx

    Thanks,

    Spencer Shi


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Saturday, March 17, 2012 8:27 AM
  • Hi Spencer,

    Thanks for the links to a more in-depth explanation of DEP. Unfortunately, they do not offer an answer to the original question -- I understand that DEP (combined with ASLR and other features enabled by default e.g. in Windows 7 64-bit) is not a magic, silver bullet to stop all possible types of attacks. The possible ways to circumvent DEP as discussed in the links, should not be effective thanks to ASLR in Vista/Win7/W2K8/W2K8R2 kernels).

    So I still am not sure if systems with DEP enabled are also vulnerable to this attack?

    BR,

    Tim

    Thursday, March 22, 2012 12:39 PM
  • Hello Tim,

    In my opinion, if the DEP can prevent that from the update, there shuold have specific documentation for explanation. Based on my research, there is no document for that. So the DEP should not conflict with the update. The best practice is to apply the update but not only depend on DEP for protection.

    Thanks,

    Spencer Shi


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    • Marked as answer by crisp_tim Thursday, March 29, 2012 9:19 AM
    Monday, March 26, 2012 10:04 AM
  • Hello Tim,

    Any update about the issue?

    Thanks,

    Spencer Shi


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Thursday, March 29, 2012 8:59 AM
  • Hi Spencer,

    Yes, your statement that it is a best practice not only to rely on DEP for protection was indeed more or less the answer I was looking for.

    Thanks and best regards,

    Tim

    Thursday, March 29, 2012 9:19 AM