Do not use VirtualLock
to lock pages that contain sensitive data. The function is not always implemented.
Heap inspection vulnerabilities occur when sensitive data, such as a password or an encryption key, can be exposed to an attacker because they are not removed from memory.
The VirtualLock
function is intended to lock pages in memory to prevent them from being paged to disk. However, on Windows 95/98/ME the function is implemented as stub only and has no effect.
[1] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A7 Insecure Cryptographic Storage
[2] Standards Mapping - OWASP Top 10 2007 - (OWASP 2007) A8 Insecure Cryptographic Storage
[3] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A8 Insecure Storage
[4] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP3230.2 CAT II
[5] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 591
[6] Standards Mapping - FIPS200 - (FISMA) MP
[7] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 - (PCI 1.2) Requirement 3.4, Requirement 6.3.1.3, Requirement 6.5.8, Requirement 8.4
[8] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 - (PCI 2.0) Requirement 3.4, Requirement 6.5.3, Requirement 8.4
[9] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 3.4, Requirement 6.5.8, Requirement 8.4