Forgot your password?
typodupeerror
Security Programming Software Windows

Many Popular Windows Apps Ignore Security Options 202

Posted by Soulskill
from the who-uses-apps-anyway dept.
eldavojohn writes "The latest versions of Microsoft Windows have some good security options available — now if only they could get their most popular third-party applications to use them. A report from Secunia takes a look at two such options — DEP and ASLR — and Brian Krebs breaks down who is using them and who is not. A security specialist noted, 'If both DEP and ASLR are correctly deployed, the ease of exploit development decreases significantly. While most Microsoft applications take full advantage of DEP and ASLR, third-party applications have yet to fully adapt to the requirements of the two mechanisms (PDF). If we also consider the increasing number of vulnerabilities discovered in third-party applications, an attacker's choice for targeting a popular third-party application rather than a Microsoft product becomes very understandable.' Among those with neither DEP or ASLR: Apple Quicktime, Foxit Reader, Google Picasa, Java, OpenOffice.org, RealPlayer, and AOL's Winamp. While Flash player can't implement DEP, it does have ASLR. Google Chrome is the only popular third-party application listed with stars across the board." It's worth noting that several apps highlighted in the Secunia research paper have added support for those security options in recent patches, or are in the process of doing so. Examples include Firefox, VLC, and Foxit Reader.
This discussion has been archived. No new comments can be posted.

Many Popular Windows Apps Ignore Security Options

Comments Filter:
  • Adobe's problem (Score:4, Insightful)

    by ILuvRamen (1026668) on Saturday July 03, 2010 @01:53PM (#32786972)
    Somehow I think that adding both of those options to anything Adobe makes wouldn't make an ounce of difference. They first need to patch that whole "putting features and pretty design before security" thing.
    • I know it's cool to hate on Adobe these days, but did you even read the summary? They got it right on this one.
  • Why should this be up to an application at all? You either have a secure install or you don't, if you do, then no application would have the authority to run outside of the rules, if you don't, you have to acknowledge it as a user and force the OS not to bother forcing this.

    It's FIRST: User's choice. Second: OS enforcement. Distant third: what an individual application is doing.

    So if the user says: Enforce, then all calls to OS routines to allocate memory for example must be rerouted by the OS through th

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      Just enforce the DEP and ASLR system wide and see what breaks. I personally couldn't imagine doing anything else. Few clicks and that's it.

    • Re: (Score:3, Informative)

      by hitmark (640295)

      DEP sounds similar to what simcity did back in the dos days, use memory after it had freed it. Funny thing is, microsoft made sure that if windows detected a dos binary named simcity do that, it would allow it. This to maintain backwards-compatibility.

      and i suspect this is also why DEP is made optional pr program, as there may have been some lazy code written back in the day thats still in use somewhere.

      • by Eudial (590661)

        [citation needed]

      • Re: (Score:3, Informative)

        by cbhacking (979169)

        DEP isn't really similar to that at all. That was a case of misusing a memory manager, which is bad behavior and can cause security holes, but doesn't really count as failing to use a security feature. DEP - Data Execute Protection - does just what it sounds like: it prevents the data (stack and heap) of a program's memory representation from being executed. More specifically, if the instruction pointer tries to move to a page of memory that has the NX (No eXecute) bit set, it throws a hardware interrupt an

        • The problem is, a lot of programs - especially those that execute any kind of code, such a JavaScript in Foxit or ActionScript in Flash - use executable code in data pages legitimately, and intentionally call into it. The CPU doesn't know the difference, so those programs get killed too. The OS *can* know the difference - you can set exemptions for specific apps in Windows - but adding such an exemption just turns of DEP for that program entirely.

          Any application that doesn't run unless exempted from DEP should be considered seriously broken and require fixing (indeed, this is how it is for MS's own software). Any application that needs writable-executable data pages for whatever reason (JIT etc) should use the appropriate API calls to request OS to change page permissions from writable to executable and back as needed.

    • by TheLink (130905)

      It's already been the user's choice since WinXP SP2. The deal is, 1) you cannot turn it on by default because many apps will break. 2) most users are ignorant, they wouldn't know about the choice, understand the choice, or figure out what to do if stuff doesn't work and how to exclude them if desirable.

      http://support.microsoft.com/kb/875352#5 [microsoft.com]

      If you are logged on as an administrator, you can manually configure DEP to switch between the OptIn and OptOut policies by using the Data Execution Prevention tab in S

  • You can enable DEP on Windows and still allocate executable memory. You just can't to get it from malloc(). This feature is needed so little that it should be a pretty trivial amount of modifications to get code working. It's probably not that they can't, but that they simply won't because it's too low a priority compared to the next big shiny feature.
  • "app" (Score:3, Insightful)

    by Anonymous Coward on Saturday July 03, 2010 @02:13PM (#32787076)

    Can we please stop calling everything "apps" and go back to programs. App is getting to be as annoying as blog.

    • Re:"app" (Score:5, Funny)

      by hedwards (940851) on Saturday July 03, 2010 @02:32PM (#32787196)
      Well, then God help you when you come across an app blog that blogs blog apps.
    • Re: (Score:3, Interesting)

      by Anonymous Coward

      "App" has been short for "application" for a long time. I'm more annoyed by people who think it's specific to the iPhone (an intranet blog at work not long ago claimed (with no iContext, it was about the progress of technology rather than anything directly Apple-related) that the "first app" appeared in 2008).

      • by TeknoHog (164938)

        In my understanding, "application" means a piece of software with which users interact directly. "Program" means a piece of software in general, even kernels and libraries are programs. As "program" comes from a broader meaning (a set of contents/instructions, a plan) it is not limited to user interaction.

        Nevertheless, I keep using the word "program" for applications. Probably because, back in the days of Basic et al, we talked about writing "programs", and "application" was a later term I associate with

    • by mlts (1038732) *

      To me, apps are modules of code you find on smartphones. Applets are Java based pieces of code. Applications are executables made for a general purpose computer like a Windows machine, Mac, or pSeries. Programs are a catch-all, but I tend to use the word programs for code written on a full computer OS, as opposed to a smartphone.

  • by RenQuanta (3274) on Saturday July 03, 2010 @02:22PM (#32787122) Homepage

    I guess it's a matter of perspective...

    Insomnia Sec's SyScan presentation on defeating DEP [insomniasec.com] [PPT warning]

    Google cache HTML-ified alternative to the PPT [googleusercontent.com]

    It may well be that DEP's useful days are numbered. It's likely just a matter of time before these techniques are better researched, more widely understood and commonplace.

    As always, the best defense is in depth, responsible disclosure, and patching, patching, patching.

    • Re: (Score:3, Informative)

      by hitmark (640295)

      or hired guns pulling black ops missions on the people writing the malware.

    • by cbhacking (979169)

      Defeating DEP in and of itself is trivial. That's what ASLR is for. It's still technically possible to exploit an application that uses both, but it's much, much harder, and generally speaking you can't get a guarantee of success like you can with a return-to-shellcode or return-to-libc attack - the first of which DEP prevents and the second of which ASLR prevents.

  • DEP yes, ASLR no (Score:4, Interesting)

    by Animats (122034) on Saturday July 03, 2010 @02:33PM (#32787206) Homepage

    Data execution prevention is a no-brainer. Unix has had that since the 1970s.

    ASLR, though, is iffy. Randomizing the position of code in memory is a form of security through obscurity. If there's a bug that's exploitable with ASLR, it's a bug that can crash the program without it. It also makes debugging harder. No two crash dumps for the same bug are the same. Not even close.

    What's more useful is running applications with very limited privileges. If the browser's renderer can't do much except render the single page it's supposed to be rendering, then corruption within it isn't a big deal. Firefox's approach to running plugins in a separate process is a big step forward, and the more jail-like that process becomes, the better. You really need a mandatory security model like SELinux to make this work, and Windows doesn't have that.

    • Modern machines rely heavily on cache for efficiency, and thus code and data locality. I wonder what effect ASLR has on this.
      • by Anonymous Coward on Saturday July 03, 2010 @03:39PM (#32787606)

        None - ASLR affects the initial base location where various program sections are placed, so code & data locality remains the same relative to each other.

      • Re: (Score:3, Insightful)

        by cbhacking (979169)

        None, really. ASLR doesn't mean that every single instruction winds up somewhere random, it just means that when loading a file of executable code - either a program or a library - it places the in-memory representation at a random address. This means you can't, for example, do a return-to-libC attack by simply figuring out the address that your target platform places its C runtime at; it will instead be different on every system and every day. However, within any given binary, the relative locations of ins

    • Re:DEP yes, ASLR no (Score:4, Interesting)

      by abigsmurf (919188) on Saturday July 03, 2010 @03:08PM (#32787416)
      By that logic, encryption is also security through obscurity, therefore there's no point in encrpyting data.

      The point of ASLR isn't to provide absolute security, it's to provide an additional layer of security to make it harder to produce meaningful exploits from vulnerabilities.
    • Re: (Score:3, Informative)

      by benjymouse (756774)

      You really need a mandatory security model like SELinux to make this work, and Windows doesn't have that.

      Oh? Since Vista, Windows can run executables in "low integrity mode". When a low integrity mode process is started, the security token of the process (which is inherited from the user) is stripped of all admin privileges, stripped of write access to anywhere but a designed cache area and barred from making changes to the registry.

      Basically, Windows allows a user account to be sub-divided based on the activity the account is used for. If it is a potentially internet faced activity the app should use low-inte

    • by JackDW (904211)

      Agreed, seems like security theatre to me. ASLR makes legitimate debugging a pain, and what's the benefit? It's the computing equivalent of airport security.

      Furthermore, DEP sounds good, but my eyes were opened recently to return-oriented programming, which allows arbitrary exploits to run without ever modifying any executable code. And ASLR/DEP are useless when the exploits run as managed code anyway: a common attack vector ever since the first MS Word macro viruses.

    • ASLR, though, is iffy. Randomizing the position of code in memory is a form of security through obscurity.

      Yes, and guess what? Security through obscurity works, too. It's not foolproof, for sure, but it can make it much harder to break something. Especially - as is the case with ASLR - the "obscured" bits change every time.

      The direct analogy would be passwords - they are themselves a classic example of security through obscurity (indeed, the security of the password-protected system hinges on only trusted person/people knowing the password, and no-one else), and the more often you change them, the more secure y

  • by noidentity (188756) on Saturday July 03, 2010 @02:58PM (#32787338)
    Microsoft also added, "If only those applications would use our special memory access functions, they wouldn't go overwriting other programs' memory. There's nothing we can do at the OS level to prevent this, so it's up to application developers to do the ritght thing."
    • by toadlife (301863)

      Was that meant to be funny?

      • Do you mean, were Microsoft's bad decisions meant to be funny, or did you mean, was the executive summary of Microsoft's bad decisions highlighted at an opportune time with ironic phrasing meant to be funny?

  • by sproketboy (608031) on Saturday July 03, 2010 @03:20PM (#32787500)

    because Its PDF and I don't know if my Adobe reader has DEP so I'm afraid I'll get hacked..... /s

  • Java? (Score:3, Interesting)

    by alannon (54117) on Saturday July 03, 2010 @03:23PM (#32787516)

    I'd be a bit surprised if Java could take advantage of either of these mechanisms due to the nature of the dynamic compiler and class-loading, without major, major problems. MS probably had to build special mechanisms into the CLR runtime for it to work in .NET.
    On the other hand, Java has a reputation of being a pretty bulletproof platform in terms of the exploits that these two mechanisms are designed to protect against.

    • I'd be a bit surprised if Java could take advantage of either of these mechanisms due to the nature of the dynamic compiler and class-loading, without major, major problems.

      It is entirely possible to take advantage of these counter-measures. I believe that Java on BSD does something like copying memory around to support the NX bit and still allow the running process to write new code. The restriction that is enforced is that a memory block cannot be *both* executable *and* writable. It is perfectly ok to write memory and then switch it to executable code.

      MS probably had to build special mechanisms into the CLR runtime for it to work in .NET.

      No, they just designed .NET to always execute fully compiled. Unlike Java, .NETs "intermediate code" was never intended to b

      • Re: (Score:3, Informative)

        by bertok (226922)

        No, they just designed .NET to always execute fully compiled. Unlike Java, .NETs "intermediate code" was never intended to be interpreted at runtime. Instead .NET JITs an assembly (dll) before executing. .NET even supports creating assemblies dynamically (no hacks) through Reflection.Emit (no need to save to files and do bytecode manipulation). A dynamic assembly is still compiled fully to machine instructions before execution begins.

        I was just reading the .NET 4 help file on this this week, and the JIT compiler is invoked on a per-method basis. The virtual function table is used to substitute the compiled methods for the original bytecode.

        One difference between .NET and Java is that .NET invokes the JIT on the "first call", whereas Java still prefers to run code using emulation until a method has been called a certain number of times, after which the JIT is invoked. You're almost right: .NET never executes anything other than compiled

    • Re: (Score:2, Informative)

      by BitZtream (692029)

      You simply have to ask for memory that doesn't have the NX bit set when requesting a memory allocation.

      Translation: You don't call malloc(), you use VirtualAlloc with the right flags. Then you get a block of memory back that can be executed.

      Either way, with interpreted languages, there is no requirement to be able to directly execute the memory. The interpreter is the executing code, reading and basing its execution path based on what the 'compiled' java byte code looks like. Java doesn't compile to nat

  • Kernel, not apps (Score:2, Interesting)

    by Gothmolly (148874)

    DEP should be handled by the operating system, not the apps. This is the philosphy which has made Windows such a mess over the years.

    • DEP should be handled by the operating system, not the apps.

      Some applications still need to be aware of the operating system's DEP facility. (See discussion above [slashdot.org] for why.)

    • Re: (Score:3, Informative)

      by cbhacking (979169)

      First of all, DEP is technically a kernel feature, or at least parts of it require kernel support. MS even wrote a completely software-based feature that tries to implement DEP on systems without the NX bit (it's not perfect, but it helps a bit).

      Windows has 4 settings for DEP enforcement:

      * Turn it all off (generally not used, unless you have a misbehaving driver). This option is only available if you know where to look; it's not in the UI
      * Turn it on if a program opts in (most MS software do

  • ...when it installs itself, in Windows, at %Userprofile%\Application Data\Google Chrome? That is just amateur programming, and is a real beast if you're in an Active Directory environment with Roaming Profiles, 'cause the damn software keeps getting copied to/from the server with ever logon/logoff. I understand Google might consider compliance with separation of programs from their data might be "difficult," but the ease with which any malmare can corrupt Chrome because of it's lack of installation securi
    • by n0-0p (325773) on Saturday July 03, 2010 @05:42PM (#32788302)

      There's nothing wrong with installing a program in the Application directory; it's pretty much the norm on Windows for per-user installations. Think of it as equivalent to ~/bin on Unix systems. Of course that doesn't fit in well for enterprise environments, but Google does provide a pack installer for managed systems, [google.com] which installs under "Program Files" and lets you disable auto-updates. And while the current version of Chrome is lacking other enterprise features, the next version will have full support for GPO configuration, Admin templates, and all the other things you'd expect in an enterprise.

      As for your absurd claim that per-user installations are somehow a security vulnerability, you're going to have to provide something to back that up. Because I've spent about 15 years in the information security field I can't even get close to a rationale for that one.

NOWPRINT. NOWPRINT. Clemclone, back to the shadows again. - The Firesign Theater

Working...