Third-party apps failing to use Windows security features
Researchers at the Danish vulnerability tracking firm recently investigated whether some of the most popular third-party applications used two built-in Windows security features, known as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR).
DEP, first introduced in the Windows XP Service Pack 2 in August 2004, makes part of the memory nonexecutable and, as a result, renders the exploit development process more complex and time consuming.
ASLR, introduced with the release of Windows Vista in early 2007, randomizes memory space and significantly lowers the chances for certain code execution attacks to succeed.
These two defensive measures, used by most Microsoft applications, are overlooked by many third-party application developers even though they are simple to implement, the report states.
The defenses do not negate the need for patching or prevent all code execution attacks, but can in some cases prevent the exploitation of vulnerabilities, and in other cases, make successful exploitation much less likely, Thomas Kristensen, CSO of Secunia, told SCMagazineUS.com Thursday.
“These protective mechanisms are something that Microsoft has been promoting a lot regarding Windows 7 and Vista,” Kristensen said. “It's definitely something that software developers should be aware of, so why they haven't deployed them is difficult to answer.”
Some of the most popular third-party Windows programs, including Sun Java JRE, Apple Quicktime, VLC Media Player, OpenOffice.org, Google Picasa, Foxit Reader, Winamp and RealPlayer, do not currently use DEP or ASLR, the researchers found.
“The ones that should be the most motivated to use this are the big vendors who frequently get vulnerability reports,” Kristensen said. “So we fear implementation would be even worse for the vendors we didn't look at.”
On the positive side, some applications have, over time, become compatible with DEP, including Mozilla Firefox and Apple's iTunes and Safari. However, the overall implementation process has been slow and inconsistent between operating system versions, the report states. Even worse, ASLR support has been improperly implemented by “almost all vendors,” the report states.
The two security defenses must be used in concert for the best impact, Kristensen said.
“By combining DEP and ASLR, you raise the bar and make it significantly more difficult to exploit many of these vulnerabilities,” he said.
Of the 16 applications analyzed, Google Chrome was the only to utilize both DEP and ASLR, Kristensen said. A Google spokesman told SCMagazineUS.com on Thursday that the company also plans to enable these features in an upcoming release of Picasa.
“Going forward, I would hope that more vendors use these defensive mechanisms,” Kristensen said. “It would make it significantly harder to exploit common vulnerabilities in these products and that would help secure the end users.”