Forgot your password?
typodupeerror
Security Programming Software Windows

Many Popular Windows Apps Ignore Security Options 202

Posted by Soulskill
from the who-uses-apps-anyway dept.
eldavojohn writes "The latest versions of Microsoft Windows have some good security options available — now if only they could get their most popular third-party applications to use them. A report from Secunia takes a look at two such options — DEP and ASLR — and Brian Krebs breaks down who is using them and who is not. A security specialist noted, 'If both DEP and ASLR are correctly deployed, the ease of exploit development decreases significantly. While most Microsoft applications take full advantage of DEP and ASLR, third-party applications have yet to fully adapt to the requirements of the two mechanisms (PDF). If we also consider the increasing number of vulnerabilities discovered in third-party applications, an attacker's choice for targeting a popular third-party application rather than a Microsoft product becomes very understandable.' Among those with neither DEP or ASLR: Apple Quicktime, Foxit Reader, Google Picasa, Java, OpenOffice.org, RealPlayer, and AOL's Winamp. While Flash player can't implement DEP, it does have ASLR. Google Chrome is the only popular third-party application listed with stars across the board." It's worth noting that several apps highlighted in the Secunia research paper have added support for those security options in recent patches, or are in the process of doing so. Examples include Firefox, VLC, and Foxit Reader.
This discussion has been archived. No new comments can be posted.

Many Popular Windows Apps Ignore Security Options

Comments Filter:
  • Report is flawed (Score:1, Interesting)

    by Anonymous Coward on Saturday July 03, 2010 @02:07PM (#32787046)

    VLC uses both DEP and ASLR in the latest VLC 1.1.0.

    The blog is a rewrite of a blog from Secunia who is testing an old version of VLC...
    They can't even spread their "security fear" correctly...

  • by Anonymous Coward on Saturday July 03, 2010 @02:15PM (#32787090)

    Just enforce the DEP and ASLR system wide and see what breaks. I personally couldn't imagine doing anything else. Few clicks and that's it.

  • by RenQuanta (3274) on Saturday July 03, 2010 @02:22PM (#32787122) Homepage

    I guess it's a matter of perspective...

    Insomnia Sec's SyScan presentation on defeating DEP [insomniasec.com] [PPT warning]

    Google cache HTML-ified alternative to the PPT [googleusercontent.com]

    It may well be that DEP's useful days are numbered. It's likely just a matter of time before these techniques are better researched, more widely understood and commonplace.

    As always, the best defense is in depth, responsible disclosure, and patching, patching, patching.

  • DEP yes, ASLR no (Score:4, Interesting)

    by Animats (122034) on Saturday July 03, 2010 @02:33PM (#32787206) Homepage

    Data execution prevention is a no-brainer. Unix has had that since the 1970s.

    ASLR, though, is iffy. Randomizing the position of code in memory is a form of security through obscurity. If there's a bug that's exploitable with ASLR, it's a bug that can crash the program without it. It also makes debugging harder. No two crash dumps for the same bug are the same. Not even close.

    What's more useful is running applications with very limited privileges. If the browser's renderer can't do much except render the single page it's supposed to be rendering, then corruption within it isn't a big deal. Firefox's approach to running plugins in a separate process is a big step forward, and the more jail-like that process becomes, the better. You really need a mandatory security model like SELinux to make this work, and Windows doesn't have that.

  • by Rockoon (1252108) on Saturday July 03, 2010 @02:57PM (#32787332)
    Modern machines rely heavily on cache for efficiency, and thus code and data locality. I wonder what effect ASLR has on this.
  • Re:DEP yes, ASLR no (Score:4, Interesting)

    by abigsmurf (919188) on Saturday July 03, 2010 @03:08PM (#32787416)
    By that logic, encryption is also security through obscurity, therefore there's no point in encrpyting data.

    The point of ASLR isn't to provide absolute security, it's to provide an additional layer of security to make it harder to produce meaningful exploits from vulnerabilities.
  • Re:"app" (Score:3, Interesting)

    by Anonymous Coward on Saturday July 03, 2010 @03:10PM (#32787434)

    "App" has been short for "application" for a long time. I'm more annoyed by people who think it's specific to the iPhone (an intranet blog at work not long ago claimed (with no iContext, it was about the progress of technology rather than anything directly Apple-related) that the "first app" appeared in 2008).

  • Java? (Score:3, Interesting)

    by alannon (54117) on Saturday July 03, 2010 @03:23PM (#32787516)

    I'd be a bit surprised if Java could take advantage of either of these mechanisms due to the nature of the dynamic compiler and class-loading, without major, major problems. MS probably had to build special mechanisms into the CLR runtime for it to work in .NET.
    On the other hand, Java has a reputation of being a pretty bulletproof platform in terms of the exploits that these two mechanisms are designed to protect against.

  • Re:Wait a minute (Score:1, Interesting)

    by Anonymous Coward on Saturday July 03, 2010 @03:25PM (#32787536)

    How would you write a JIT without the ability to turn off DEP on certain pages of memory?

  • by tepples (727027) <tepples AT gmail DOT com> on Saturday July 03, 2010 @03:56PM (#32787694) Homepage Journal
    Managed execution environments, such as .NET and Java, usually recompile each method as it is executed for the first time. In a DEP environment, the JIT recompiler needs a way to tell the OS to flip parts of memory between data and executable. So if "some" argue that managed code is broken by design, I'd guess "some" work for Apple's iOS division, the only company I can think of that has explicitly banned managed code.
  • Kernel, not apps (Score:2, Interesting)

    by Gothmolly (148874) on Saturday July 03, 2010 @04:21PM (#32787842)

    DEP should be handled by the operating system, not the apps. This is the philosphy which has made Windows such a mess over the years.

  • by CAOgdin (984672) on Saturday July 03, 2010 @04:32PM (#32787896)
    ...when it installs itself, in Windows, at %Userprofile%\Application Data\Google Chrome? That is just amateur programming, and is a real beast if you're in an Active Directory environment with Roaming Profiles, 'cause the damn software keeps getting copied to/from the server with ever logon/logoff. I understand Google might consider compliance with separation of programs from their data might be "difficult," but the ease with which any malmare can corrupt Chrome because of it's lack of installation security make Chrome a pariah in our environment, and I've banned it from all our and client computers!

If you are good, you will be assigned all the work. If you are real good, you will get out of it.

Working...