Thursday, August 31, 2006

Metastorm e-Work 7 and DEP

I've already written about Metastorm e-Work 7, so I was quite excited when I got hold of the CD and immediately started to install it on a test machine. That is until I read the Installation Guide which said "Before attempting to install Metastorm BPM ensure the Data Execution Prevention (DEP) feature is disabled.". Er, excuse me? I read on and was dumbfounded to see that I had to turn off DEP for the whole machine before I could install version 7. I ignored the advice and tried to install anyway but the Installation guide was telling the truth. I couldn't install because DEP was enabled.

What is DEP and why should you worry? Applications on your computer have a code section and a data section. Executable code is contained within the code section and any other data required by the application is within the data section. Most applications will only ever execute code from the code section but until recently nothing stopped you from writing an application that ran code from the data section. This could be potentially useful if you need to write self-modifying code, but there is a very small minority of applications that would ever need to do this. In fact the overwhelming number of applications that do execute code in the data section are viruses, trojans and other malware. So Microsoft have recently introduced DEP that will stop applications executing code in the data section. There are two flavours of DEP, software and hardware. The hardware version only runs on the most recent processors but other than that I'm not sure of the differences. But one thing is for sure, DEP is a good thing! It is just one line of protection for your PC but an important one. Disabling it is asking for trouble.

So why does e-Work 7 require me to disable DEP? To be blunt, the software has a bug. Clearly Metastorm thought disabling DEP was an easier option than fixing the bug. What I do find odd is the fact that it is possible to disable DEP on a per-application basis, so I don't understand why they didn't go down this route. I would certainly consider installing the software if this was how it was set up. As it is, e-Work 7 will be remaining on my shelf. If I was Metastorm I'd be somewhat concerned about the possibilities of a lawsuit caused by a server being compromised due to DEP being disabled...

No comments: