Software vendors failing to use Microsoft Windows security systems

Secunia's researchers have revealed that many of the applications they examined – including Apple Quicktime, Foxit Reader, Google Picasa, Java and OpenOffice.org – do not support two Windows features: Address Space Layout Randomisation (ASLR), which dynamically moves memory access points around, and Data Execution Protection (DEP), which helps to block memory-based code execution by unauthorized software.

Secunia says that adoption of DEP has been slow and uneven between operating system versions, and that ASLR support is improperly implemented by nearly all vendors.

Reporting on the research, security expert Brian Krebs said that he followed up the report's findings with the makers of all eight products that Secunia said ignored both DEP and ASLR, "and received a few encouraging answers."

"VLC maker VideonLAN said the most recent version – v1.1.0 – takes advantage of both features. Foxit Software said its Foxit Reader will support ASLR and DEP in the next major release", he said in his security blog posting.

Interestingly, PC Mag security reporter Larry Seltzer said that his investigations and observations do not agree with Secunia's "shocking" findings.

"In a number of cases... Secunia puts a 'no' in their table when there is partial support, such as Shockwave's DEP in some browsers but not others. This seems misleading to me", he said in his blog posting.

"But I do want to thank them for bringing to my attention the false support for ASLR in some of these programmes, as they set the bit for their main image load but then load DLLs at fixed addresses. Shame on you Adobe, Apple, Mozilla and Opera", he added.

According to Seltzer, it's worth noting that Foxit Reader gets a lot of attention and installs as a supposedly safe alternative to Adobe Reader.

"While you may be safer for the fact that Foxit isn't targeted in the way that Adobe's Reader is, Foxit Software appears to be putting a lot less effort into their security than Adobe."

What’s hot on Infosecurity Magazine?