As of last month, none of these programs use DEP: Sun's Java JRE, Apple's QuickTime, Apple's iTunes (running on Windows XP), OpenOffice, Google's Picasa, Foxit Reader, VLC Media Player, AOL's Winamp, and RealPlayer. Secunia determined that if a program doesn't use DEP, there's no reason to check for ASLR -- kind of a security crawl-before-you-can-walk situation.
As of last month, these programs use DEP but don't use ASLR: Adobe Reader, Firefox, Apple's iTunes, Adobe's Shockwave Player (DEP is dependent on the browser being used), Opera, and Apple's Safari.
The programs that watch out for you? Adobe's Flash Player and Google's Chrome. That's it. Of course, Internet Explorer 8 uses DEP and ASLR, but they've already been cracked, most notoriously in the Pwn2Own 2010 competition.
Brian Krebs reports in his Krebs on Security Blog that VLC claims the latest version of its Media Player supports both DEP and ASLR. He also says that Foxit promises the next version of Reader will support both, and Google says it's going to put them in Picasa. Jeremy Kirk reports on the InfoWorld Security Central blog that there's a fix in the works for Opera. That fix didn't make it in time for Secunia's tests.
What to do? Unfortunately, there aren't many options. Lesser-known utilities may or may not enforce DEP and ASLR. At this point, perhaps the most important action you can take is to make sure your fellow IT professionals know about the problems. You might also consider dropping a nastygram on anyone you know at the offending companies.