Big-name Windows apps neglect security

Five years after Microsoft baked Data Execution Protection into Windows, many ubiquitous applications -- including QuickTime, Picasa, and OpenOffice -- still don't use it

Two important security technologies, Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR), go a long way toward preventing unauthorized programs from taking over a PC. And Secunia Research just published a white paper with a disturbing analysis of popular Windows programs that don't use either.

Windows XP Service Pack 2 introduced DEP back in 2004. It's is a technique that uses both hardware and software to keep a PC from executing programs that sit in areas that should be holding data. Historically, one of the easiest and most fruitful ways to take over a PC involves a buffer overflow -- where an attack routine sticks a malicious program inside a data area and then tricks Windows into "running" the data. When a program asks Windows for DEP protection, and the hardware supports DEP, buffer overflow attacks are considerably more difficult. Not impossible, mind you, but DEP does pretty well blocking the most common and straightforward attacks.

[ See Roger Grimes' coverage of the Pwn2Own convention in his Security Adviser blog on ]

ASLR arrived with the release of Windows Vista in 2007. When a program tells Windows that it wants to use ASLR, Windows sticks pieces of the program in randomly assigned parts of memory. If an attacker tries to access a specific location in the program, the attacker has to guess the location of the pertinent piece of the program, which can be quite difficult.

Together DEP and ASLR aren't invincible, but they're formidable. In Windows 7 (and to a lesser extent Vista), turning on both DEP and ASLR is reasonably easy if the program is written properly and doesn't use certain undesirable coding techniques that fell out of favor years ago.

That's why it's so shocking that many of the programs you and your users run every day don't support either or both.

Secunia tested 16 applications -- the most commonly used Windows apps as reported by Secunia's PSI scanning program. Each of the tested programs has been used as the vector in a real attack in the past two years.

As of last month, none of these programs use DEP: Sun's Java JRE, Apple's QuickTime, Apple's iTunes (running on Windows XP), OpenOffice, Google's Picasa, Foxit Reader, VLC Media Player, AOL's Winamp, and RealPlayer. Secunia determined that if a program doesn't use DEP, there's no reason to check for ASLR -- kind of a security crawl-before-you-can-walk situation.

As of last month, these programs use DEP but don't use ASLR: Adobe Reader, Firefox, Apple's iTunes, Adobe's Shockwave Player (DEP is dependent on the browser being used), Opera, and Apple's Safari.

The programs that watch out for you? Adobe's Flash Player and Google's Chrome. That's it. Of course, Internet Explorer 8 uses DEP and ASLR, but they've already been cracked, most notoriously in the Pwn2Own 2010 competition.

Brian Krebs reports in his Krebs on Security Blog that VLC claims the latest version of its Media Player supports both DEP and ASLR. He also says that Foxit promises the next version of Reader will support both, and Google says it's going to put them in Picasa. Jeremy Kirk reports on the InfoWorld Security Central blog that there's a fix in the works for Opera. That fix didn't make it in time for Secunia's tests.

What to do? Unfortunately, there aren't many options. Lesser-known utilities may or may not enforce DEP and ASLR. At this point, perhaps the most important action you can take is to make sure your fellow IT professionals know about the problems. You might also consider dropping a nastygram on anyone you know at the offending companies.

This article, "Big-name Windows apps neglect security," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog.

Copyright © 2010 IDG Communications, Inc.