Many Popular Windows Apps Ignore Security Options

eldavojohn writes "The latest versions of Microsoft Windows have some good security options available — now if only they could get their most popular third-party applications to use them. A report from Secunia takes a look at two such options — DEP and ASLR — and Brian Krebs breaks down who is using them and who is not. A security specialist noted, 'If both DEP and ASLR are correctly deployed, the ease of exploit development decreases significantly. While most Microsoft applications take full advantage of DEP and ASLR, third-party applications have yet to fully adapt to the requirements of the two mechanisms (PDF). If we also consider the increasing number of vulnerabilities discovered in third-party applications, an attacker's choice for targeting a popular third-party application rather than a Microsoft product becomes very understandable.' Among those with neither DEP or ASLR: Apple Quicktime, Foxit Reader, Google Picasa, Java, OpenOffice.org, RealPlayer, and AOL's Winamp. While Flash player can't implement DEP, it does have ASLR. Google Chrome is the only popular third-party application listed with stars across the board." It's worth noting that several apps highlighted in the Secunia research paper have added support for those security options in recent patches, or are in the process of doing so. Examples include Firefox, VLC, and Foxit Reader.

Report is flawed

[Anonymous Coward]

VLC uses both DEP and ASLR in the latest VLC 1.1.0.

The blog is a rewrite of a blog from Secunia who is testing an old version of VLC...
They can't even spread their "security fear" correctly...

Re:isn't that OSs problem?

[Anonymous Coward]

Just enforce the DEP and ASLR system wide and see what breaks. I personally couldn't imagine doing anything else. Few clicks and that's it.

"decreases significantly"?

[RenQuanta]

I guess it's a matter of perspective...

Insomnia Sec's SyScan presentation on defeating DEP [insomniasec.com] [PPT warning]

Google cache HTML-ified alternative to the PPT [googleusercontent.com]

It may well be that DEP's useful days are numbered. It's likely just a matter of time before these techniques are better researched, more widely understood and commonplace.

As always, the best defense is in depth, responsible disclosure, and patching, patching, patching.

DEP yes, ASLR no

[Animats]

Data execution prevention is a no-brainer. Unix has had that since the 1970s.

ASLR, though, is iffy. Randomizing the position of code in memory is a form of security through obscurity. If there's a bug that's exploitable with ASLR, it's a bug that can crash the program without it. It also makes debugging harder. No two crash dumps for the same bug are the same. Not even close.

What's more useful is running applications with very limited privileges. If the browser's renderer can't do much except render the single page it's supposed to be rendering, then corruption within it isn't a big deal. Firefox's approach to running plugins in a separate process is a big step forward, and the more jail-like that process becomes, the better. You really need a mandatory security model like SELinux to make this work, and Windows doesn't have that.

ASLR possibly degrades performance?

[Rockoon]

Modern machines rely heavily on cache for efficiency, and thus code and data locality. I wonder what effect ASLR has on this.

Re:DEP yes, ASLR no

[abigsmurf]

By that logic, encryption is also security through obscurity, therefore there's no point in encrpyting data.

The point of ASLR isn't to provide absolute security, it's to provide an additional layer of security to make it harder to produce meaningful exploits from vulnerabilities.

Re:"app"

[Anonymous Coward]

"App" has been short for "application" for a long time. I'm more annoyed by people who think it's specific to the iPhone (an intranet blog at work not long ago claimed (with no iContext, it was about the progress of technology rather than anything directly Apple-related) that the "first app" appeared in 2008).

Java?

[alannon]

I'd be a bit surprised if Java could take advantage of either of these mechanisms due to the nature of the dynamic compiler and class-loading, without major, major problems. MS probably had to build special mechanisms into the CLR runtime for it to work in .NET.
On the other hand, Java has a reputation of being a pretty bulletproof platform in terms of the exploits that these two mechanisms are designed to protect against.

Re:Wait a minute

[Anonymous Coward]

How would you write a JIT without the ability to turn off DEP on certain pages of memory?

True, some work for Apple

[tepples]

Managed execution environments, such as .NET and Java, usually recompile each method as it is executed for the first time. In a DEP environment, the JIT recompiler needs a way to tell the OS to flip parts of memory between data and executable. So if "some" argue that managed code is broken by design, I'd guess "some" work for Apple's iOS division, the only company I can think of that has explicitly banned managed code.

Kernel, not apps

[Gothmolly]

DEP should be handled by the operating system, not the apps. This is the philosphy which has made Windows such a mess over the years.

How Can Google Chrome Be Considered "Safe"...

[CAOgdin]

...when it installs itself, in Windows, at %Userprofile%\Application Data\Google Chrome? That is just amateur programming, and is a real beast if you're in an Active Directory environment with Roaming Profiles, 'cause the damn software keeps getting copied to/from the server with ever logon/logoff. I understand Google might consider compliance with separation of programs from their data might be "difficult," but the ease with which any malmare can corrupt Chrome because of it's lack of installation security make Chrome a pariah in our environment, and I've banned it from all our and client computers!