Friday, July 9, 2010

No Major Application implement DEP and ASLR for preventing unauthorized programs for taking over your PC


Big-name Windows applications neglect security

Two important security technologies, Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR), go a long way toward preventing unauthorized programs from taking over a PC. And Secunia Research just published a white paper with a disturbing analysis of popular Windows programs that don't use either. Windows XP Service Pack 2 introduced DEP back in 2004. It's is a technique that uses both hardware and software to keep a PC from executing programs that sit in areas that should be holding data. Historically, one of the easiest and most fruitful ways to take over a PC involves a buffer overflow - where an attack routine sticks a malicious program inside a data area and then tricks Windows into "running" the data. When a program asks Windows for DEP protection, and the hardware supports DEP, buffer overflow attacks are considerably more difficult. Not impossible, mind you, but DEP does pretty well blocking the most common and straightforward attacks.

ASLR arrived with the release of Windows Vista in 2007. When a program tells Windows that it wants to use ASLR, Windows sticks pieces of the program in randomly assigned parts of memory. If an attacker tries to access a specific location in the program, the attacker has to guess the location of the pertinent piece of the program, which can be quite difficult. Together DEP and ASLR aren't invincible, but they're formidable. In Windows 7 (and to a lesser extent Vista), turning on both DEP and ASLR is reasonably easy if the program is written properly and doesn't use certain undesirable coding techniques that fell out of favor years ago. That's why it's so shocking that many of the programs you and your users run every day don't support either or both.

Secunia tested sixteen applications - the most commonly used Windows apps as reported by Secunia's PSI scanning program. Each of the tested programs has been used as the vector in a real attack in the past two years. As of last month, none of these programs use DEP: Sun's Java JRE, Apple's QuickTime, Apple's iTunes (running on Win XP), OpenOffice, Google's Picasa, Foxit Reader, VLC Media Player, AOL's Winamp, and RealPlayer. Secunia determined that if a program doesn't use DEP, there's no reason to check for ASLR - kind of a security crawl-before-you-can-walk situation.

Read full story here :