According to Kaspersky Labs hardware Data Execution Protection (DEP) only helps to prevent successful exploitation, it doesn't completely mitigate it.
Hardware-based DEP is currently only available on NX-bit (AMD) and XD-bit (Intel) enabled CPUs, running Windows XP with SP2.
"We've tested on AMD and Intel platforms and HW DEP seemed initially to prevent successful exploitation in Internet Explorer and Windows Explorer. However, when testing the latest builds of third party image viewers like Irfanview and XnView HW DEP didn't prevent exploitation, even with HW DEP enabled for all programs. This is because both Irfanview and XnView are packed with ASPack and Windows disables HW DEP for ASPack packed files."
More alarming is using a limited user account, which restricts NTFS permissions doesn't protect the user from this exploit.
Windows 2000 which is by default not vulnerable to this exploit can be made to be vulnerable by simply using a third party image viewer like Irfanview or XnView because the viewers require the vulnerable file to show .wmf files.
Windows XP Pro 64 Bit has also been found to be vulnerable to this exploit. However currently the code cannot be executed because it is written for 32 bit systems. In order for the vulnerability to be exploited on a 64 bit system new shellcode specific to x64 is required. Kaspersky feels this is a remote possibility as there are only a small number of users which run 64 bit systems, so the vulnerbility couldn't be exploited on a large scale.
Posted on Wednesday, 04 January 2006 @ 14:39:24 UTC by Robin (4702 reads) [ Trackback ]
