The NX implementation is a security feature of XP SP2.
Specifically, NX prevents the execution of code marked as non-executable.
Some malware is known to execute code from non-executable locations during
attack. Additionally, NX forces developers to ensure they’re properly
marking all code (including JITed code) as executable. It’s these scenarios
that NX is designed for.
Jake is correct-application compatibility is a very important Windows
feature. We know it is important to our customers to be able to use their
older programs when upgrading to a new OS or updating to the latest service
pack.
The NX implementation addresses compatibility partially through the
mechanism that is described above. There are a limited set of libraries
that are known to have compatibility issues with NX. Instead of preventing
the application dependent upon the library from running, Windows
automatically disables NX for the application.
There are some scenarios where automatically disabling NX makes more sense
than putting users through the pain of their applications crashing
continually. It’s a balance between compatibility and security.
Note that this process of automatically disabling NX is carefully targeted
to a limited set of libraries with specific characteristics such as version,
manufacturer and link date. In the MSO example, only several versions of
MSO cause NX to be automatically disabled; later versions do not cause NX to
automatically be disabled. Also, there are non-Microsoft libraries in the
list.
Is this process of automatically disabling NX based on loading of a library
a Windows vulnerability? No. If your attack can get enough code running to
call LoadLibrary() on MSO.DLL or another library in this list to disable NX,
then you’re already past the point where NX would be useful in helping to
prevent your exploit.
Finally, a system administrator can turn off this automatic disabling-NX
behavior by adding “/noexecute=alwayson” to the boot entry.
Pat Stemen
Program Manager, Windows Kernel Platform Group
This posting is provided “AS IS” with no warranties, and confers no rights.
“AFei” wrote in message news:xxxxx@ntdev…
>
> I’m fine with it and thanks for the clarification, on my point of view, Nx
> is a very good security feature provided by hardware, it is better if OS
> can
> enforce this down to all applications, force the applications (include
> office) to change their unethical programming, (maybe start from
> Longhorn.),
> I knew it’s not enough to fighting with virus and trojans, at least it
> will
> cause some trouble to them. Just my opinions.
>
> Rgds,
>
> AFei
>
> “Jake Oshins” wrote in message
> news:xxxxx@ntdev…
>> The NX solution that we shipped was intended to catch existing malware
>> and
>> unintended screwups. If you read the press releases carefully, they
>> never
>> say that it’s a security feature. They always call it a reliability
>> feature. Other people’s reinterpretation of those press releases called
> it
>> a security feature, though, which significantly confuses the situation.
>>
>> The bottom line is that no solution in this space could possibly be
>> bulletproof without busting a huge number of apps. And compatibility
>> with
>> existing software is Windows’ number one feature.
>>
>> By the way, this is not my area of work. I don’t intend to try to
>> justify
>> these decsions and I probably won’t bother to engage in the arguments
>> that
>> this will devolve into. If you need more information and/or you
> absolutely
>> must argue the subject, I will forward your e-mail on to the Program
>> Managers who are involved. They may decide to respond.
>>
>> –
>> Jake Oshins
>> Windows Kernel Group
>>
>> This posting is provided “AS IS” with no warranties, and confers no
> rights.
>>
>>
>> “AFei” wrote in message news:xxxxx@ntdev…
>> > Okay, I’m smiling that MS puts in more features together with more
> holes.
>> > what I guess is they don’t want to make a “big” change on their existed
>> > products like office, and they were doing things rejected by Nx
>> > themselves,
>> > so a back door is necessary to give their own applications a higher
>> > priority. A lazy design caused this problem. Another consideration
>> > might
>> > be,
>> > tons of 3rd applications doing the same thing which MS have to support
>> > their
>> > unethical programming. Of course, I don’t want this hole was used by
> virus
>> > writer, maybe I should report this to MS or some security groups. Any
>> > suggestions are welcome.
>> >
>> > AFei
>> >
>> >
>> >
>>
>>
>>
>
>
>