Many of the most widely used third-party software applications for Microsoft Windows do not take advantage of two major lines of defense built into the operating system that can help block attacks from hackers and viruses, according to research released today.
Attackers usually craft software exploits so that they write data or programs to very specific, static sections in the operating system’s memory. To counter this, Microsoft introduced with Windows Vista (and Windows 7) a feature called address space layout randomization or ASLR, which constantly moves these memory points to different positions. Another defensive feature called data execution prevention (DEP) — first introduced with Windows XP Service Pack 2 back in 2004 — attempts to make it so that even if an attacker succeeds in guessing the location of the memory point they’re seeking, the code placed there will not execute or run.
These protections are available to any applications built to run on top of the operation system. But according to a new analysis by software vulnerability management firm Secunia, half of the third party apps they looked at fail to leverage either feature.
As indicated by the chart to the right, Secunia found that at least 50 percent of the applications examined — including Apple Quicktime, Foxit Reader, Google Picasa, Java, OpenOffice.org, RealPlayer, VideoLAN VLC Player, and AOL‘s Winamp — still do not invoke either DEP or ASLR. Secunia said DEP adoption has been slow and uneven between operating system versions, and that ASLR support is improperly implemented by nearly all vendors.
“If both DEP and ASLR are correctly deployed, the ease of exploit development decreases significantly,” wrote Alin Rad Pop, a senior security specialist at Secunia. “While most Microsoft applications take full advantage of DEP and ASLR, third-party applications have yet to fully adapt to the requirements of the two mechanisms. If we also consider the increasing number of vulnerabilities discovered in third-party applications, an attackers choice for targeting a popular third-party application rather than a Microsoft product becomes very understandable.”
I followed up with the makers of all eight products that Secunia said ignored both DEP and ASLR, and received a few encouraging answers. VLC maker VideonLAN said the most recent version — v. 1.1.0- takes advantage of both features. Foxit Software said its Foxit Reader will support ASLR and DEP in the next major release. I will update this post if and when I hear from other vendors. A Google spokesperson said the company plans to implement these features in a future release.
Windows does have other built-in security features, such as user account control (UAC, on Windows Vista and Windows 7) and a limited user account (especially important for Windows XP users). XP users who can’t be bothered to adopt the limited user approach would do well to consider something like Drop My Rights for specific Internet-facing apps. Sandboxie is another application that allows users to box in or “sandbox” specific applications, such as browsers, IM clients, media players and the like, to block potential exploits from forcing these apps to write to other portions of system memory or the hard drive.
In the final analysis, Secunia notes, there is no substitute for applying security updates as soon as they’re made available, and Secunia itself makes one of the best apps for helping users stay on top of this regular chore. The free Personal Software Inspector application sits in the background, alerts users when it finds programs that are out of date, and provides a central, one-click place for downloading the latest application updates.
Earlier this year, I wrote about an upcoming release of the PSI tool that lets users choose to have PSI automatically download and install updates for third-party applications as they become available. Secunia is currently testing a limited technology preview version (that is, pre-beta, so install at your own risk) of this new feature, available here. I’ll post a longer review of this software in a future article, but so far the auto-patch feature appears to be unobtrusive and working as advertised, at least on my Windows 7 test system.
The full report is available from Secunia’s site, at this link.