Skip to main content

SQ14119

Detected Windows executable files that do not implement the safe exception handling vulnerability mitigation protection.

priorityCI/CD statusseverityeffortRL levelRL assessment
passhighlowNonehardening: warning
Reason: baseline mitigations missing

About the issueโ€‹

Safe Exception Handling (/SAFESEH) protects the code flow integrity by ensuring that exceptions are handled only by vetted functions. This mitigation protects dynamically constructed exception chains by checking the function targets prior to their execution. Because the code flow integrity is verified during runtime, malicious code is less likely to be able to hijack trusted execution paths. It's highly recommended to enable this option for all software components used at security boundaries, or those that process user controlled inputs. However, this option is only effective on systems that dynamically resolve exception handlers. Most notably, this option is recommended for 32-bit Windows applications that target the Intel x86 platform. Other operating system and platform combinations mitigate exception hijacking risks through the use of statically generated read-only tables.

How to resolve the issueโ€‹

  • To enable this mitigation, refer to your programming language toolchain documentation.
  • In Microsoft VisualStudio, you can enable safe exception handling mitigation by passing the /SAFESEH parameter to the linker.

Incidence statisticsโ€‹

ReversingLabs periodically collects and analyzes the contents of popular software package repositories for threat research purposes.

For every repository, the chart shows the percentage of projects that triggered the software assurance policy. In other words, it shows how many projects were found to have the specific issue described on this page.

The percentages are calculated from the total amount of packages analyzed:

  • RubyGems: 174K
  • Nuget: 189K
  • PyPi: 403K
  • NPM: 2.1M