Posted by: kurtsh | November 12, 2006

INFO: How Windows Vista helps protect against Buffer Overrun threats

Michael Howard, one of our more senior Security Experts here at Microsoft typed up a blog about how Windows Vista prevents viruses from infecting workstations & servers.

It is said that 70% of all viruses are dependent on something called a "Buffer Overrun".   A Buffer Overrun is simply when a program allows data or code to be written outside of the confines of the program’s addressable memory space.  This is usually the result of the growth of an unchecked variable or array. 

In the case of viruses, data/code is specifically written in such a way that if it is executed by the system, it will self propagate using the elevated privileges of the system itself.  (Every OS has a system account to executes system level code like kernel instructions, etc.)

So the only problem, is getting the system to run the code once it’s been written outside of the invaded application.  This is usually simple if placed correctly into memory into areas of memory that the OS is known to execute.

Methods of how prevent these sort of attacks are detailed in Michael’s blog… particularly a new feature of Windows Vista called "Address Space Layout Randomization" which essentially makes it extremely difficult to predict when and where operating system code is in memory making intrusions using Buffer Overruns very difficult. 



%d bloggers like this: