Configure or Turn Off DEP (Data Execution Prevention) in Windows

6/04/2022 12:00:00 PM K.D No comments
It can cause issues with some older third-party software

Data Execution Prevention (DEP) is one of those ‘blursed’ things. It’s a blessing most of the time when it does its job and doesn’t interfere, but cursed when it does interfere. 

Let’s look at DEP and how to configure it, or turn DEP off, depending on your needs.

What Is DEP & What Does It Do?
According to Microsoft, DEP is :
“…a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system.”  

Dell simplifies it a bit and tells us that DEP

“…can help protect your computer by monitoring your programs to make sure that they use system memory safely.”


What does that mean? There are certain areas in the computer’s memory which aren’t intended to have code running in them, but sometimes code does run there. 

Usually, the code that will run there is malicious. DEP will monitor those areas and if it sees something going on in those areas it will shut it down. If you want to get in-depth about how it works, read Microsoft’s detailed description of Data Execution Prevention.

So Why Does DEP Cause Problems?
Even today, computers are dumb. They cannot reason, they can only use the most basic of logic. Plus, that logic is put into them by humans so computers also get our mistakes put into them. 

Sometimes, good programs will wander off into the areas that DEP monitors and work in those spaces.


When this happens, DEP will sometimes shut the entire program down and let you know via an error message. But sometimes DEP will just cause the program to run very poorly and there won’t be anything obvious to tell you why. 

What Programs Have Problems With DEP?
Programs that conflict with DEP are typically older programs or built on old codebases. A lot of Enterprise Resource Planning (ERP) software is built on codebases that go back to the 1970s. There was no DEP then, so the program will go into areas that DEP patrols.

64-bit programs were created after DEP was well established, so they were developed to comply. Most programs that conflict with DEP will be 32-bit programs. 

Non-Microsoft programs that interact with Windows Services heavily or run their own Windows Services may be tripped up by DEP. If that is the case, the vendor will recommend to completely turn off DEP.

For the home user, old games that are 32-bit, and some emulators for playing even older games, are the most likely to conflict with DEP.

Old device drivers or drivers downloaded from unofficial sources may also trigger DEP errors. Only download drivers from the hardware manufacturer or Microsoft, and update your drivers regularly.

How Do I Know If DEP Is The Problem?
You may have to go into Event Viewer and sift through the logs for Event ID 1000. If you find one, it may look like this:

Event ID : 1000 - DEP Error : Generic host for Win32 servicesGeneric Host Process for Win32 Services - DEP : Application Error
Event Type: Error
Event Source: Application Error
Event Category: (100)
Event ID: 1000
 You may see other errors referencing things like:

  • 0xFC:ATTEMPTED_EXECUTE_OF_NOEXECUTE_MEMORY – occurs when a device driver is trying to run in memory. It may be a bad or outdated driver. You’ll want to update your drivers. 
  • STATUS_ACCESS_VIOLATION (0xc0000005) – occurs when programs are trying to run in DEP protected memory space.
How To Configure Or Turn Off DEP
In Windows 10, DEP defaults to the setting Turn on DEP for essential Windows programs and services only. Most of the time, this is sufficient. It means that the majority of your programs will be ignored by DEP. 

But if DEP helps protect the computer and it doesn’t have a performance hit, you may want to select Turn on DEP for all programs except those that I select. Then if you find a program that has a problem with DEP, we can add it as an exception. Let’s look at how to do that.
  • Open the Control Panel then open System.

  • On the left side of the System window, click on Advanced System Settings.
  • The System Properties window should open and already be set to the Advanced tab. In the Performance area, click on Settings.
  • In the Performance Options window, click on the Data Execution Prevention tab.


  • With Turn on DEP for all programs except those that I select selected, click on the Add button near the bottom of the window.


  • Navigate to the executable for the program that we’d like to add as an exception. It will most likely be in C:/Program Files (x86). 
  • In this example, we’re adding MediaMonkey, an old music player utility. Click on the .exe file once we find it and click on Open.


  • In Performance Options, click on Apply. Now, MediaMonkey will run outside of DEP protection while all others will run within DEP protection.

Turn DEP Completely Off

If you want to turn DEP completely off, we advise only doing that as part of troubleshooting an issue. DEP is there for your protection. 

Since it’s something that isn’t advised, there isn’t a good point-and-click way to do it. Let’s look at how we can turn off DEP.
  • Open the Command window as Administrator. Do this by typing cmd in the program search field near the Start menu.

  • Enter the command bcdedit.exe /set {current} nx AlwaysOff and press enter.


bcdedit.exe is a Windows utility for editing boot configuration data, hence     .

/set tells bcedit to set an option value entry in the boot configuration.

{current} tells becedit to work with the boot configuration being used right now.

nx is short for no execute and is the setting name for DEP in the boot configuration.

AlwaysOff is self-explanatory.
  • Restart the computer.
  • DEP will now be completely, and permanently off.

Turn DEP On For Everything
To turn DEP on for absolutely everything, the process and command is like above.

  • Open the Command window as Administrator, following the instructions in the procedure above.
  • Enter the command bcdedit.exe /set {current} nx AlwaysOn. 
        

  • Restart the computer.
  • DEP will be turned on and all programs monitored.
After turning DEP to being always on or always off, it CANNOT be changed via the Data Execution Prevention tab in system settings. 

Let’s look at how to change it so that the radio buttons in the DEP tab can be used again.

Set DEP Back To Default Behavior
To set DEP behavior back to default and make it manageable again via system settings, do the following.
  • Open the Command window as Administrator.
  • Enter the command bcdedit.exe /set {current} nx OptIn.

  • Restart the computer.
  • Now the radio buttons in the DEP tab in systems settings are accessible again.
To DEP Or Not To DEP
We recommend leaving DEP on its default setting of Turn on DEP for essential Windows programs and services only, unless it’s necessary to change it to troubleshoot problems that may be DEP-related.
Read more »

Understanding the Impact of Apache Log4j Vulnerability

6/03/2022 11:30:00 AM K.D No comments

 More than 35,000 Java packages, amounting to over 8% of the Maven Central repository (the most significant Java package repository), have been impacted by the recently disclosed log4j vulnerabilities (1, 2), with widespread fallout across the software industry. The vulnerabilities allow an attacker to perform remote code execution by exploiting the insecure JNDI lookups feature exposed by the logging library log4j. This exploitable feature was enabled by default in many versions of the library.

This vulnerability has captivated the information security ecosystem since its disclosure on December 9th because of both its severity and widespread impact. As a popular logging tool, log4j is used by tens of thousands of software packages (known as artifacts in the Java ecosystem) and projects across the software industry. User’s lack of visibility into their dependencies and transitive dependencies has made patching difficult; it has also made it difficult to determine the full blast radius of this vulnerability. Using Open Source Insights, a project to help understand open source dependencies, we surveyed all versions of all artifacts in the Maven Central Repository to determine the scope of the issue in the open source ecosystem of JVM based languages, and to track the ongoing efforts to mitigate the affected packages.

How widespread is the log4j vulnerability?

As of December 16, 2021, we found that 35,863 of the available Java artifacts from Maven Central depend on the affected log4j code. This means that more than 8% of all packages on Maven Central have at least one version that is impacted by this vulnerability. (These numbers do not encompass all Java packages, such as directly distributed binaries, but Maven Central is a strong proxy for the state of the ecosystem.)

As far as ecosystem impact goes, 8% is enormous. The average ecosystem impact of advisories affecting Maven Central is 2%, with the median less than 0.1%.



Direct dependencies account for around 7,000 of the affected artifacts, meaning that any of its versions depend upon an affected version of log4j-core or log4j-api, as described in the CVEs. The majority of affected artifacts come from indirect dependencies (that is, the dependencies of one’s own dependencies), meaning log4j is not explicitly defined as a dependency of the artifact, but gets pulled in as a transitive dependency.




What is the current progress in fixing the open source JVM ecosystem?

We counted an artifact as fixed if the artifact had at least one version affected and has released a greater stable version (according to semantic versioning) that is unaffected. An artifact affected by log4j is considered fixed if it has updated to 2.16.0 or removed its dependency on log4j altogether.

At the time of writing, nearly five thousand of the affected artifacts have been fixed. This represents a rapid response and mammoth effort both by the log4j maintainers and the wider community of open source consumers.

That leaves over 30,000 artifacts affected, many of which are dependent on another artifact to patch (the transitive dependency) and are likely blocked.


Why is fixing the JVM ecosystem hard?

Most artifacts that depend on log4j do so indirectly. The deeper the vulnerability is in a dependency chain, the more steps are required for it to be fixed. The following diagram shows a histogram of how deeply an affected log4j package (core or api) first appears in consumers dependency graphs. For greater than 80% of the packages, the vulnerability is more than one level deep, with a majority affected five levels down (and some as many as nine levels down). These packages will require fixes throughout all parts of the tree, starting from the deepest dependencies first.


Another difficulty is caused by ecosystem-level choices in the dependency resolution algorithm and requirement specification conventions.
In the Java ecosystem, it’s common practice to specify “soft” version requirements — exact versions that are used by the resolution algorithm if no other version of the same package appears earlier in the dependency graph. Propagating a fix often requires explicit action by the maintainers to update the dependency requirements to a patched version.
This practice is in contrast to other ecosystems, such as npm, where it’s common for developers to specify open ranges for dependency requirements. Open ranges allow the resolution algorithm to select the most recently released version that satisfies dependency requirements, thereby pulling in new fixes. Consumers can get a patched version on the next build after the patch is available, which propagates up the dependencies quickly. (This approach is not without its drawbacks; pulling in new fixes can also pull in new problems.)

How long will it take for this vulnerability to be fixed across the entire ecosystem?
It’s hard to say. We looked at all publicly disclosed critical advisories affecting Maven packages to get a sense of how quickly other vulnerabilities have been fully addressed. Less than half (48%) of the artifacts affected by a vulnerability have been fixed, so we might be in for a long wait, likely years.
But things are looking promising on the log4j front. After less than a week, 4,620 affected artifacts (~13%) have been fixed. This, more than any other stat, speaks to the massive effort by open source maintainers, information security teams and consumers across the globe.

Where to focus next?
Thanks and congratulations are due to the open source maintainers and consumers who have already upgraded their versions of log4j. As part of our investigation, we pulled together a list of 500 affected packages with some of the highest transitive usage. If you are a maintainer or user helping with the patching effort, prioritizing these packages could maximize your impact and unblock more of the community.
We encourage the open source community to continue to strengthen security in these packages by enabling automated dependency updates and adding security mitigations. Improvements such as these could qualify for financial rewards from the Secure Open Source Rewards program.
You can explore your package dependencies and their vulnerabilities by using Open Source Insights.


Read more »

Microsoft is finally retiring Internet Explorer in 2022

6/02/2022 02:56:00 PM K.D No comments

 Internet Explorer will no longer be supported in June 2022


Microsoft is finally retiring Internet Explorer next year, after more than 25 years. The aging web browser has largely been unused by most consumers for years, but Microsoft is putting the final nail in the Internet Explorer coffin on June 15th, 2022, by retiring it in favor of Microsoft Edge.

“We are announcing that the future of Internet Explorer on Windows 10 is in Microsoft Edge,” says Sean Lyndersay, a Microsoft Edge program manager. “The Internet Explorer 11 desktop application will be retired and go out of support on June 15, 2022, for certain versions of Windows 10.”

While the Long-Term Servicing Channel (LTSC) of Windows 10 will still include Internet Explorer next year, all consumer versions will end support of the browser. Microsoft doesn’t make it clear (and we’re checking), but it’s likely that we’ll finally see the end of Internet Explorer being bundled in Windows either in June 2022 or soon after.

Internet Explorer originally launched in 1995

The alternative for most businesses will be Microsoft Edge with IE mode. Microsoft created its IE mode for Edge a couple of years ago, and it has allowed businesses to adopt the new Chromium-based browser for older legacy websites. IE mode supports older ActiveX controls and legacy sites, which are surprisingly still used by many businesses. Microsoft is promising to support this IE mode in Edge until through at least 2029.

The end of Internet Explorer has been a long time coming. Microsoft ended support for Internet Explorer 11 for the Microsoft Teams web app last year, and it’s planning to cut it off from accessing Microsoft 365 services later this year. Internet Explorer 11 will no longer be supported for Microsoft’s online services like Office 365, OneDrive, Outlook, and more on August 17th.

Microsoft has also been trying to stop people from using Internet Explorer for more than five years. Microsoft Edge first appeared in 2015, and it kicked off the end of the Internet Explorer brand. Microsoft has since labeled Internet Explorer a “compatibility solution” rather than a browser and encouraged businesses to stop using the aging browser in favor of Edge and its IE mode.
Read more »
RSS FeedRSS Subscription!
Follow me!Follow me!

 
Design by gitstein | Bloggerized by Kuldeep