Intel's Execute Disable Bit functionality, first released for the Intel® Itanium® processor family in 2001, can prevent certain classes of malicious "buffer overflow" attacks when combined with a supporting operating system.
Execute Disable Bit allows the processor to classify areas in memory by where application code can execute and where it cannot. When a malicious worm attempts to insert code in the buffer, the processor disables code execution, preventing damage or worm propagation. To provide end-to-end no execute (NX) coverage, Intel will offer Execute Disable Bit for workstations, and other server products beginning in late Q3 2004. Desktop and workstation products are now shipping, with system availability in Q4 2004. Mobile products begin shipping in late Q4 2004, with system availability in Q1 2005.
Implementing Execute Disable Bit
Replacing older computers with Execute Disable Bit-enabled systems can halt worm attacks, reducing the need for virus related repairs. In addition, Execute Disable Bit may eliminate the need for software patches aimed at buffer overflow attacks. By combining Execute Disable Bit with anti-virus, firewall, spy ware removal, e-mail filtering software, and other network security measures, IT managers can free IT resources for other initiatives.
Execute Disable Bit currently requires one of the following operating systems to support it:
Microsoft Windows* Server 2003 with Service Pack 1
Microsoft Windows* XP* with Service Pack 2
SUSE Linux* 9.2
Red Hat Enterprise Linux 3 Update 3
See Microsoft's Windows* Service Pack Roadmap for more information on Service Pack releases, or download Windows XP Service Pack 2.
Del med dine venner