Guess what? I turned DEP on and the sky didn’t fall in!

July 18, 2007

Vista busy cursor But I can’t print any more. More on that in a moment.

One of the benefits of a new PC is that it has an up to the minute processor that supports Data Execution Prevention or DEP for short. Even though I have now abandoned use of Windows Vista and upgraded to XP for day to day use, I can still use DEP because it is supported by XP SP2.

In principle, and probably in practice, DEP is one of the most important security features you would want to have working on your PC. It is a hardware based system that stops some of the worst security threats dead in their tracks. Many of the recent security threats have involved malicious websites that take advantage of sloppy programming in components of the browser or Windows itself (often remnants of early versions of Windows that survive into current versions) to execute code of the hacker’s own choosing. The malicious code only needs to run once to turn your PC into a “zombie” (part of a bot network used for spamming or Distributed Denial of Service Attacks), install a Rootkit, or other serious security compromises.

The hack at issue here involves what’s known as a buffer overrun, whereby a section of program intended to copy some legitimate data to the stack (part of RAM reserved for data, not program code) is tricked into copying extra data which is actually a malicious bit of program code. It is then further tricked into making program execution jump to the start of the malicious code. The code is in a part of RAM intended for data only, but the processor will run it anyway.

That is unless DEP is supported by the processor and switched on.

Under Vista, DEP is on by default at the basic level (applies to components of Windows itself only) but you can opt to use it in an enhanced mode where DEP’s protection extends to code running in any program. Under XP SP2, DEP is off by default but you can turn it on if you have a suitably up to date processor.

Steve Gibson of Gibson Research Corporation has a free downloadable utility called SecurAble which can tell you whether your system can use DEP.

Well if DEP is so great, why is Microsoft so coy about ensuring it is turned on at maximum protection level in all versions of Windows? Is there a problem with it?

Unfortunately, yes. Some perfectly innocent commercial programs use program execution in data segments of memory as part of clever wheezes to maximise speed of execution. DEP will stop these programs working. There is even a risk that critical parts of Windows may end up with affected code, so that DEP could even stop Windows booting up.

The implementation of DEP on Windows does allow you to whitelist known safe programs that use data execution, but if you can’t even boot your system that is more of a problem.

The whole issue is explained very articulately, in careful detail, by Steve Gibson in the popular security podcast Security Now! with Leo Laporte of This Week in Tech fame.

See (or rather listen to), in particular, episode 39 on buffer overruns and episode 78 on DEP.

It was thus with some trepidation that I turned DEP on in enhanced mode on my new PC running XP, and rebooted to make the change effective. I wasn’t sure what to expect. Warning messages all over the place? Programs not working? Would XP reboot at all?

Well it did reboot, with no obvious signs of anything having changed. I went into the Windows control panel just to check DEP really was on, which it was.

There has been only one occasion when any DEP related warning appeared. It happened when my daughter was running an older version of MSN Messenger, but she has installed a newer version and no problems reported since.

The only downside of DEP is that my printer, a trusty old HP Deskjet 5550 only prints blank pages. It prints test pages, and calibration output, but not anything originating in an external program such as Word or Photoshop. I was stumped at first, never suspected DEP because the printer had been attached to an older PC on the network and it only failed when I decommissioned the old PC and attached the printer to the new PC. I of course suspected faulty connections, incorrect drivers, anything but DEP. After all there was no warning message about data execution.

I eventually found the explanation by Googling. I now have to decide between:

(i) DEP at basic level only

(ii) Bring the old PC back into service

(iii) Buy a new printer

It strikes me that (ii) is unattractive because the old PC is noisy and it’s a waste of energy having it on just to support a printer, while (i) compromises security and (iii) will cost money when the printer itself is still fine for my needs. Any ideas, folks?


One comment

  1. For an update on the printing problem (a SOLUTION no less) see here.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: