Feeds

Popular apps don't bother with Windows defences

No belt, no braces

The Essential Guide to IT Transformation

Many popular software applications have avoided including security protection mechanisms built into the latest versions of Windows. The omission leaves these applications at greater risk of hacker attack, according to a study by security patching and notification firm Secunia.

Two key security mechanisms in Windows - DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization) - are designed to make it hard for hackers to develop reliable exploits even in cases where security bugs are present in Windows applications. DEP, first added to Windows with XP Service Pack 2 in August 2004, is designed to prevent the execution of writable memory. ASLR, which debuted with Vista, further complicates the process of creating reliable exploits.

But the safety mechanisms only come into play in cases where software applications fail to support the security mechanisms. Secunia's study on the most popular non-Microsoft applications installed on Windows users' systems, based on statistics from its PSI security patching tool, shows that the vast majority of 16 popular utilities analysed fail to support either DEP or ASLR.

Java, Apple Quicktime, Foxit Reader, Google Picasa, OpenOffice.org, RealPlayer and VLC Player all fail to integrate either DEP or ASLR. Browser makers - Mozilla Firefox, Chrome, Opera - do a rather better job of applying DEP but this integration is inconsistent between different Windows platforms and not reliably extended to ASLR.

Similar criticism applies to Adobe apps, a prime target for hacker attacks over recent months.

"DEP and ASLR support, although usually trivial to implement, is overlooked by a large number of application developers," Salin Rad Pop, a senior security specialist at Secunia, writes. "Some developers have over time made their applications compatible with DEP, but overall the implementation process has proven slow and uneven between OS versions."

"ASLR support is on the other hand improperly implemented by almost all vendors, allowing return-into-libc techniques to likely succeed in their applications or in browsers designed to be otherwise ASLR compliant."

Secunia reckons the failure to apply Microsoft's security protections has become a major reason why hackers have turned their sights against attacks against third-party applications, rather than Windows, a major trend in the vulnerability and exploit arena over the last two or three years.

"While most Microsoft applications take full advantage of DEP and ASLR, third-party applications have yet to fully adapt to the requirements of the two mechanisms. If we also consider the increasing number of vulnerabilities discovered in third-party applications, an attacker's choice for targeting a popular third-party application rather than a Microsoft product becomes very understandable," Secunia concludes.

Secunia's study can be found here (pdf). ®

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
Microsoft's Euro cloud darkens: US FEDS can dig into foreign servers
They're not emails, they're business records, says court
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.