14 DAY TRIAL // A Russian company claims it came up with a way to disable a security measure in Microsoft Win XP Service Pack 2, Windows major security update which was launched last August and is meant to keep users safe from vulnerabilities and hacker attacks.
The MaxPatrol team found that it was possible to defeat SP2's Heap protecting and Data Execution Prevention mechanism. This means that a would-be attacker could insert rogue code into a PC's memory and trick Windows into running the program. Heap is a reserved address space region at least one page large from which the heap manager can dynamically allocate memory in smaller pieces. The heap manager is represented by a set of function for memory allocation/freeing which are localized in two places: ntdll.dll and ntoskrnl.exe. The manipulation of the look aside lists doesn't assume any header sanity checking, there isn't even a simple cookie check there. Which, theoretically, results in possibility to overwrite up to 1016 bytes in an arbitrary memory location and it is possible to implement DEP (Data Execution Prevention) bypass and execute arbitrary code?
The company notified Microsoft of the problem Dec. 22nd, but it apparently decided not to wait for the software giant to patch the flaws and developed a simple utility called PTmsHORP, which allows restriction of look aside list creation, governed by a special global flag. The program shows a list of applications which already have this flag set. In order to activate this safety flag for other applications you just need to add the name of the executable file to the list. Any time you can review or modify the list of protected applications by running PTmsHORP again. The program can be downloaded from here