Microsoft has announced plans to add new anti-exploitation APIs into Windows Vista SP1, Windows XP SP3 and Windows Server 2008 as part of a larger plan to secure the Windows ecosystem.
According to Michael Howard, a senior program manager in Microsoft’s security unit, the delivery of the new NX (/noexecute) APIs significantly lowers the barriers to entry for application developers to opt-in to using DEP on Windows programs.
In his announcement, Howard said the new APIs will let developers set DEP on their process at runtime rather than using linker options.
The key API being added is SetProcessDEPPolicy, which sets the DEP policy for the running process, he said.
Howard said there are three main reasons to use the new Windows APIs:
“* If your application has some form of in-process extensibility mechanism, and some applications might use older ATL, then you can enable DEP for your process, and the extensibility mechanisms using ATL will function correctly.* If you support DEP but want to allow customers to disable DEP if there are serious compatibility issues, then this is the API to use because the argument can be a configuration option.* If your application uses an old version of ATL, and you still want to do the right thing by DEP, then use this function. Of course, you really ought to use an updated version of ATL!“