Third-Party Windows Apps Not Using Microsoft Security Features, Researchers Find
A study by Secunia finds that many popular third-party applications, such as Sun Java JRE, Apple QuickTime and Google Picasa, are not taking advantage of the protections offered by two security features built into Microsoft Windows.Danish security company Secunia revealed July 1 that many popular third-party Windows applications are not taking advantage of two built-in Windows security measures that could help defend against code execution attacks. According to Secunia, applications such as Sun Java JRE, Apple QuickTime and RealPlayer are not making use of Microsoft's DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization) technologies. The report, entitled DEP/ASLR Implementation Progress in Popular Third-Party Windows Applications, (PDF) analyzed the way 16 popular applications use-or don't use-DEP or ASLR, and whether that has changed over time.
DEP was first added to Windows in Windows XP Service Pack 2 in August of 2004, and prevents applications from executing code from a nonexecutable memory region. Microsoft added ASLR to Windows Vista in 2007. ASLR randomizes memory space to lower the chance of an attacker successfully executing code.