One of the most common security vulnerabilities in Windows software is the buffer overrun exploit. It works by feeding a well crafted data stream into a program that uses a stack based buffer without correctly checking the length of the data stream. By writing past the end of the buffer the overwrite can:

1. Store malicious assembler instructions in the stack’s memory pages
2. Change the current function’s return address on the stack so that the malicious instructions are executed instead of the original calling code hwne the function returns.

This technique for injecting code can be used to take control of the current process and possibly the whole PC if the program is running as a user with admin rights.

The problem originates from the fact that Intel’s early x86 processors would enforce the READ and WRITE flags on memory pages; but not the EXECUTE flag that is used for executable code pages. The memory pages used by a program’s stack never have the EXECUTE flag and step 2) above should fail because an attempt is being made to execute READ/WRITE data.

By the time Intel added the NX flag to enforce execution protection, many carelessly written programs relied on being able to execute code in a non-EXECUTE page. So when Microsoft added DEP (Data Execution Protection) in Windows XP SP2, they were unable to turn it on globally because of the large number of third party applications and add-ons that would fail.

Of course, there is one program in particular that would benefit from DEP – Internet Explorer. It’s used by more than half a billion people worldwide and can be subjected to buffer overrun attacks when visiting malicious or hacked web sites. Unfortunately, only a tiny percentage of the IE users around the world have DEP enabled. 

On Windows XP you cannot turn on DEP in Internet Explorer through the user interface, even if you turn on DEP globally like this in the Control panel System applet:

There are certain programs that are always excluded from DEP on Windows XP for compatibility reasons. IE is one of these programs because so many third party add-ons and OCXs failed to work correctly with DEP when Service Pack 2 was released.

Incidentally, HttpWatch works with DEP and is built with the /NXCOMPAT flag to indicate that it can safely be used when DEP is enabled.

On Windows Vista you can enable DEP in IE 7 by using this checkbox:

The checkbox cannot only be modified if you run IE 7 as the administrator:

So why doesn’t everyone do this and why isn’t it the default? That’s because there’s one major non compliant add-on that nearly everyone installs – the Sun Java runtime. When it’s installed and you have DEP enabled, IE 7 raises a DEP error if you visit a site that uses a Java applet:

Sun has acknowledged the problem, but the high priority bug has been open since April 2007:

http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6545701

Once this has been fixed the way is clear for DEP to be enabled for most IE users on Windows Vista.

In the meantime, IE 7 on Vista still offers much better protection against buffer overruns that Windows XP. That is because of two new features:

• Protected Mode – by default IE 7 runs in a low rights mode even if you are logged in as an administrator. A hijacked instance of IE therfore has limited access to other programs and data on the PC.
• Address Space Layout Randomization (ASLR) – on Windows Vista important system DLLs are placed at random locations in each process. The hacker can no longer rely on system functions being at known locations and would have to make a guess. Any incorrect guess causes the hijacked program to crash preventing continued execution of the malicious code.

HttpWatch version 6.0 has been released and is now available for download.

Any customers eligible for a free upgrade to HttpWatch Professional can install the latest version using their existing license key. If you’re not sure whether your license will work with version 6.0 go to Help->Check For Updates in HttpWatch and it will show you any available updates or upgrades.

What’s New?

The major new feature in this release is support for Firefox 2.0 and 3.0 on Windows. If you install version 6.0 you’ll get an HttpWatch status bar icon in Firefox:

Clicking on the icon will open the same HttpWatch user interface that’s previously only been available in Internet Explorer:

A few other areas have also been improved to accommodate Firefox. First of all there’s a new Properties window that displays information about the browser that recorded a log file:

The comment field allows simple notes and annotations to be saved with each log file.

The automation interface has been updated to include the data from the Properties window and to allow automation of HttpWatch within Firefox:

We’ve also done some work on the way that Start times are displayed. You can now choose between time offsets, local time and GMT/UTC. The latter can be particularly useful when trying to compare log files from other monitoring tools and other locations world-wide:

And finally, HttpWatch Studio now has tabs making it easier to switch between log files:

Compatibility with Version 5.x

We’ve kept the file format unchanged from version 5.x, so you can readily exchange log files with version 6.0. Although you cannot view some of the information such as the comment and browser version in version 5.x, this data is maintained if you re-save the log file and then re-open it in version 6.0.

The automation interface maintains backwards source compatibility with interpreted script clients and binary compatibility with existing compiled clients (e.g. C#, C++, VB.Net). However, if you attempt to recompile an automation program with version 6.0, you may need to make some source code changes. For example, the New method has moved from the Plugin object onto the Firefox and IE objects.

Tip #1: Be Aware of PNG Limitations in Internet Explorer

The Portable Network Graphic (PNG) format is well supported by modern browsers (e.g. IE 6+, Firefox 1+ and Opera 5+), except for two issues with Internet Explorer:

• Graphics tools like Adobe Photoshop save a Gamma correction table in the PNG file that is designed to allow for differences in the brightness of displays. Unlike other browsers, IE uses this table to adjust the brightness of a PNG image and therefore causes color mismatches when viewed alongside CSS colors or images in other formats. This problem is easily corrected by deleting the chunk containing the table with a tool like TweakPNG:
• There is no transparency support for the normal PNG-24 format (24 bit color) in IE 6. However, simple 1 bit transparency, like GIF files, is supported with the PNG-8 format (8 bit color).

Tip #2: Use PNG Images For Screenshots, Buttons and Logos

The Deflate compression algorithm used by PNG always preserves the original image, unlike the JPEG format which allows a trade-off between image quality and size. The screen shots below show how the image can become degraded with JPEG:

300% zoomed view of medium quality JPEG:

300% zoomed view of equivalent PNG:

So, if you need to display screen shots, logos, buttons or other artwork then you should use PNG files to avoid the sort of compression artifacts seen above. It is possible to save a JPEG image with 100% quality (i.e. lossless) but the file ends up being much larger than the equivalent PNG.

Tip #3: Consider Replacing GIFs With PNGs

A GIF file of more than a few hundred bytes will usually be smaller if it is converted to an equivalent PNG.  You can achieve even greater savings if you use the PNG-8 format (8 bits per pixel) compared to the usual PNG-24 (24 bits of color per pixel) format.

However, if you need animated images you’ll have to stick with GIF files because PNG has no animation support.

Tip #4: Don’t Use PNGs For Photos

The compression algorithm used in JPEG was designed for photographic content. Although it does not exactly preserve the original image, very substantial savings can often be achieved without introducing any noticeable degradation. For example, the image shown below is over 10 times smaller as a JPEG rather than a PNG with no noticeable differences:

PNG – 24 bit color, file size 88 KB:

JPEG – saved as medium quality in Photoshop, file size 7 KB:

Tip #5: Not All PNGs Are Created Equal

There is some flexibility in the way the deflate compression is applied to an image in a PNG file. This means that if you save the same image in different graphical tools you’ll often see different files sizes. We tried saving the largest PNG from our web site in three different tools:

File size for 786 x 245 PNG image:

Adobe Photoshop:  104 KB
Paint Shop Pro: 105 KB
MS Paint: 132 KB

The file produced by the Windows built-in Paint program was nearly 30% larger than the output from Adobe Photoshop!

To get the smallest possible file size, use a post processing tool like PNGOut. With our sample image, it produced a PNG file size of 100 KB.