Malicious buffer overflow attacks pose a significant security threat to businesses, increasing IT resource demands, and in some cases destroying digital assets. In a typical attack, a malicious worm creates a flood of code that overwhelms the processor, allowing the worm to propagate itself to the network, and other computers.

Intel's Execute Disable Bit functionality, first released for the Intel® Itanium® processor family in 2001, can prevent certain classes of malicious "buffer overflow" attacks when combined with a supporting operating system. Execute Disable Bit allows the processor to classify areas in memory by where application code can execute and where it cannot. When a malicious worm attempts to insert code in the buffer, the processor disables code execution, preventing damage or worm propagation. To provide end-to-end no execute (NX) coverage, Intel will offer Execute Disable Bit for desktops, workstations, and other server products beginning in late Q3 2004. Mobile products begin shipping in late Q4 2004, with system availability in Q1 2005.

Implementing Execute Disable Bit

Replacing older computers with Execute Disable Bit-enabled systems can halt worm attacks, reducing the need for virus related repairs. In addition, Execute Disable Bit may eliminate the need for software patches aimed at buffer overflow attacks. By combining Execute Disable Bit with anti-virus, firewall, spy ware removal, e-mail filtering software, and other network security measures, IT managers can free IT resources for other initiatives.

Execute Disable Bit currently requires one of the following operating systems to support it:

	Microsoft Windows* Server 2003 with Service Pack 1

	Microsoft Windows* XP* with Service Pack 2

	SUSE Linux* 9.2

	Red Hat Enterprise Linux 3 Update 3

Improving PC Security With Execute Disable Bit


	Watch this demo to learn more about how Execute Disable Bit enabled platforms offer increased protection against viruses and worms.